Rule Title |
Rule Author |
Ruleset Name |
ID |
#Files |
#Undetected Files |
Creation of an Executable by an Executable |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b5386a23355681c43cfbd2f2ccfe4b16ed45324d0d7b5583487a9f302ee1e427 |
12217111 |
1509284 |
Failed Code Integrity Checks |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
134564d292d785dff102940b8a1ee06dba2d462c5fb852124b3771a49d7885f1 |
8969619 |
3408280 |
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
3e5fe19fbbb767b861e93022c3f95d25e1618fc86be75b05326ee57b2f75633c |
3734853 |
1402424 |
Python Initiated Connection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e4d5f1be0673fa786cc8379c15338af08cdd11eed433bead9e801d6204d42a2d |
2695352 |
640754 |
Wow6432Node CurrentVersion Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
18842e32896dd83b8aca4d5e1ac78c1f66b1d252479c0023cdd02f108c42c8cd |
2613099 |
28636 |
Process Creation Using Sysnative Folder |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1dfbc92aba26dc597751f9cf42ff3eac446b827525d1a38ea6fb4141c9f9af01 |
2504135 |
930708 |
Use Remove-Item to Delete File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d9b2eb00753c3049fbb4ed4f7d88f29b65a0c50bec45ff4723b95bb637f8f83d |
2482666 |
979155 |
CurrentVersion Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc |
2243710 |
59871 |
User with Privileges Logon |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8919a871f4a52b7af785fab44b4665ab6a3637e6ebeeac0288df8a5012a48be2 |
1809546 |
771934 |
Process Start From Suspicious Folder |
frack113 |
Sigma Integrated Rule Set (GitHub) |
539d657ea3dfb52773cd8616d93fd64ba9112091984d1c3eb044c6e5dadd2c5c |
1351791 |
272439 |
Suspicious Outbound SMTP Connections |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3659f9925f327ac0ba2be9b3c8c7240f432c4b62f162b846c10410fff320b6f7 |
1174707 |
234 |
Suspicious New Instance Of An Office COM Object |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ffbbcedfb9a1fd41ebb288154c10cf5cf869eb25195708be30f8a9df74f411cc |
907362 |
776163 |
Password Protected Compressed File Extraction Via 7Zip |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
22e867c244280c1d01bcddc8355c10d82b6c69577cd784cefbbe4eb5e7a82f65 |
877770 |
159064 |
System File Execution Location Anomaly |
Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f |
869678 |
7494 |
Powershell Create Scheduled Task |
frack113 |
Sigma Integrated Rule Set (GitHub) |
60d527fe5a592cbe8e98428d1412743b909d5625ec8bc91d20e8b6ee8b36db20 |
825583 |
282481 |
Suspicious Screensaver Binary File Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ad081ff821748a3cd86b5954ef5c3d7d2a6602fe0b6e50ed47938b98bc184122 |
763400 |
3350 |
Disable Microsoft Defender Firewall via Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4d91cff1255532aacd25d7b82261d545afc7d30837d1643a0dd2c4617aec5865 |
745600 |
298954 |
SCR File Write Event |
Christopher Peacock @securepeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
7a463b569de43655b8e8cf5b970001d720c38abf81bce54ba71ad19765b096e7 |
724340 |
2698 |
Suspicious Double Extension Files |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
c9e528bd3557dc88b06bd5d2dfbadd96e24026bd2d890a2604febd2829c3146b |
680680 |
98 |
CurrentVersion NT Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
d706314122bff93e0dbdf079f1d1904d2f00407f34a893487d70105b1dc5b9ed |
624276 |
6659 |
Change PowerShell Policies to an Insecure Level |
frack113 |
Sigma Integrated Rule Set (GitHub) |
06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1 |
578658 |
287151 |
File deletion via CMD (via cmdline) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f9333cf120369debd56e4e238fffa10bdb2a1497c11e08a082befd02f9f3bdf2 |
574889 |
195331 |
Execution of Suspicious File Type Extension |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2104d1ee1ce64e7aa3dbd368652a54ce160e6a5751019af14601fc8fd1df8086 |
506960 |
12344 |
Suspicious Get-WmiObject |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1f7f8b1e9005dd4d64cb9d30ed53ee94f68fb96262fbd72f7a0266881149c79f |
487743 |
199084 |
Suspicious Call by Ordinal |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b7eb83db20f6f8b5f580e107c2b6816110a31869a94de5e2797d917335d9fbc0 |
451718 |
343070 |
CMD Shell Output Redirect |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e77646c39db7fa011a5223aeb73c738046787fc7f62a99394e883d76a54341f7 |
408792 |
101492 |
Change PowerShell Policies to an Insecure Level - PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5572c8188426269a10ccb41fc8e9c8445391ac38a0917621b0a1ee05ec99aac9 |
405563 |
157377 |
Potential Persistence Via COM Search Order Hijacking |
Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien |
Sigma Integrated Rule Set (GitHub) |
7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4 |
280985 |
138941 |
Stop Windows Service |
Jakob Weinzettl, oscd.community, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
9afc79c8a56e6e5c4cbd55d203a7dce8efc4ed28aa315b736c842a88b1d3dd0e |
272627 |
97147 |
Potential Persistence Via COM Hijacking From Suspicious Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c64a541b46d176ef960f347f5e86ee15927eb668f86a5f9f6260bbc94b1d2f3a |
271867 |
132660 |
Net.exe Execution |
Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) |
Sigma Integrated Rule Set (GitHub) |
f1048c602439313e72f67c634350106ba7b709512529457a6f0a5eca6835bc89 |
271667 |
100395 |
Suspicious Svchost Process |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a0daa529834b3c5230b4524da005a6b6503e7cb061e298a8f74e0dc1fee0a008 |
267698 |
792 |
Windows Processes Suspicious Parent Directory |
vburov |
Sigma Integrated Rule Set (GitHub) |
afd546ea5eff265c454f77f6e7641ade6e5a791d79de155fa27d377be1581535 |
264410 |
856 |
Service StartupType Change Via Sc.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b55af83c751d2c7bca8dbba245a97017e34109bff34fd50b02f60a91111ea703 |
242097 |
93933 |
Suspicious Tasklist Discovery Command |
frack113 |
Sigma Integrated Rule Set (GitHub) |
54b43d3a279bdcbcca22abf416f8b57c691f2c84a9363507162ca472e30ab902 |
239937 |
97305 |
Suspicious Network Command |
frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' |
Sigma Integrated Rule Set (GitHub) |
76a1e5bc5c7d4b95d8c382b4ecefb6a628ea4fba6cbf029fbb3cc32d36dcce57 |
238877 |
93504 |
Execution from Suspicious Folder |
Florian Roth (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
f8d48ec1128b00975e61e06393f6bb04a1d033a94c556d213b3bcb78a80589d8 |
235347 |
9561 |
Cscript Visual Basic Script Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
140aa55cb94f2ee1de560a395631283b557b8f771117a7991289298e2c6e7f6e |
234969 |
93848 |
Suspicious Eventlog Clear or Configuration Change |
Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 |
Sigma Integrated Rule Set (GitHub) |
b8f19be4c7bf862dce0d4d1f7885f2207ddf93b3a33d8a6e16f3968c4fbb6491 |
232598 |
94048 |
Non Interactive PowerShell |
Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) |
Sigma Integrated Rule Set (GitHub) |
1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f |
232397 |
93321 |
Powershell Detect Virtualization Environment |
frack113, Duc.Le-GTSC |
Sigma Integrated Rule Set (GitHub) |
6e1823de286f8bef414c648f5738bec3bd40700cba3765da26e6500bc2d8e387 |
230007 |
93135 |
Root Certificate Installed |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
aaa442da8065368308d21225f195c966f7aacd66f4a7703b37f095739a0752d4 |
229891 |
93109 |
Powershell Suspicious Win32_PnPEntity |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7cf1e08df2c1e71b9ecbab0ba652d8d7adc890f53db8c630b859d32064f3eb3a |
229759 |
93073 |
Disable UAC Using Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
80708cad12d59acde6c91bdfbb0ed867ffd0538e97f962f2ffd72040a66ecb6b |
203213 |
324 |
New RUN Key Pointing to Suspicious Folder |
Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing |
Sigma Integrated Rule Set (GitHub) |
27b72c2678411f21ba21bd10b44b7e9c45594d5a5f61f14223b81a8906675039 |
189117 |
7273 |
Registry Modification to Hidden File Extension |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e6d175111f1e8dfecb77e2bbe404bdaad31873a97477136b427187abb5d09a89 |
188150 |
111 |
Suspect Svchost Activity |
David Burkett, @signalblur |
Sigma Integrated Rule Set (GitHub) |
dc04e64e69f5446c2a31920ee22415626307d5f3d0fb73ad81b9d3301a41000a |
145036 |
56 |
Scheduled Task Creation |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
3bc9d14114a6b67367a24df21134d0564d6f08a0ad903d68f9b25e9d8b7f0790 |
135653 |
2061 |
Suspicious Schtasks From Env Var Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0533322c5c44794b71e761cd351a2459aad6e21ae95c9543d4c9fdb3c8fde6c4 |
134995 |
2677 |
Suspicious Process Creation |
Florian Roth |
SOC Prime Threat Detection Marketplace |
f09d5248ed8fc1a93251158bfda71f8144ccaf37fa922416ccd897498bff7c55 |
130111 |
3135 |
Suspicious Double Extension File Execution |
Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5ead81ee12f2097316af35270a1ac0f8623db054349c52ef366fc42a4b7d2de2 |
125487 |
71 |
Sysmon Configuration Change |
frack113 |
Sigma Integrated Rule Set (GitHub) |
953121a751fbc01b581e57dfbcfb08d3f714fa9df54e4180dfb7564c3b2e3153 |
120794 |
41788 |
Windows Binaries Write Suspicious Extensions |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6676ee2bf136155325337ad27ca431e57ff815b4fbddfaf94908c8ae566aa5b6 |
114010 |
8010 |
PowerShell Network Connections |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b5e9f310ab6a8611ea1b7b788e712f0f6bf452c3092675694cf6256931874071 |
104417 |
18942 |
Remote Thread Creation In Uncommon Target Image |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ea7ec9e92c165a4cef023fd658ef72279f03378ab53f4481eb973ecb2171b193 |
99745 |
2194 |
Suspicious Execution of Taskkill |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cd06da2f3978bdb24b3f3c8f83c7df917a910c6b29921d0e375e418f340d8f3d |
99262 |
15837 |
Floxif Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
98d1e74d54870538bf25e55522e0e31814ceaa32679120ff66addce78f4c461d |
92092 |
1530 |
File Deletion Via Del |
frack113 |
Sigma Integrated Rule Set (GitHub) |
77ed185ff979a8d9206b5eed07bf6d5823529f713ed0ea19f2ef7a4a355568bc |
80748 |
4381 |
Suspicious Schtasks Schedule Type With High Privileges |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e36b579d4bc4ef49ede1d82dd08ec1cba660d105c6f037d12ecf79b434617e88 |
79703 |
3654 |
Suspicious Add Scheduled Task Parent |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
66d80afb92c9db3881829096827fcacc7b8a697c3ceeb3318163ce83367f394b |
77169 |
2295 |
Powershell Defender Exclusion |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7e416af5a1bb67fdbd2f30ae3f5da7f74583460b36546527c909c354fb5dcd00 |
76307 |
1700 |
Use NTFS Short Name in Command Line |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c0bf6ba71da9d0f13368b0f1281354c8f9b3d491845ea5902282fece277ec655 |
74866 |
6763 |
Suspicious Script Execution From Temp Folder |
Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
96d2c399118cab5d249093badf4a85f0ef1889872b0191bdf131bcabc0994681 |
70584 |
7285 |
Shade Ransomware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d8f0141497fc47a78fbf41591174881fdf0e85f2937b08befec5c6273f8867d2 |
68733 |
30 |
Schedule system process |
Joe Security |
Joe Security Rule Set (GitHub) |
02b55b29ddf740930b68c311ca7cd59354f8c35ceda86d09a3fb06f08b760857 |
67985 |
146 |
WmiPrvSE Spawned A Process |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22 |
61944 |
116 |
Suspicious DNS Query for IP Lookup Service APIs |
Brandon George (blog post), Thomas Patzke (rule) |
Sigma Integrated Rule Set (GitHub) |
3a2766a08d32a855b604a786cddc0f76fee13e6ccd22e01d4878150f0ef1eebc |
61340 |
542 |
Rundll32 Execution Without DLL File |
Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp) |
Sigma Integrated Rule Set (GitHub) |
e7856bac967038b016efab8e4f315a2f16ccd6ba62f20d73df0ad3826fe654a3 |
60690 |
5853 |
CurrentControlSet Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
5bddd3dd0944d27f3ff8b03e8a8a01f5a9d14540ea1779da5683fe601557a364 |
59162 |
1011 |
Powershell File and Directory Discovery |
frack113 |
Sigma Integrated Rule Set (GitHub) |
febfc891e8c04ffe16ce1a9eaf5731b0a321cf42be5c06aed06252ec31cdbb79 |
58217 |
20845 |
Rundll32 With Suspicious Parent Process |
CD_ROM_ |
Sigma Integrated Rule Set (GitHub) |
63bcc6f98c4a5594772428a329b433392d70f18a841926328607f303f3d782a5 |
58019 |
1342 |
Swisyn Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
173f49a095aef2bc0480b5f8a8ae6c2d0e4125f9096d618a3865346b34d726fa |
56601 |
80 |
LOLBAS rundll32 without expected arguments (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
2fd6d2b16365ba7157eee4934b406ac7d530b4ec62cc1b45c69ee4f07989f139 |
55619 |
5138 |
Msiexec Initiated Connection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4a7e3b52f438365db6b61867f157e3bc434b40fb9916eba681bb857e7a1041ee |
52135 |
36702 |
Service Binary in Uncommon Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a55e06a3fb02c5ab9e6338bc2b61d50ebaa7e4236c27862400b7633243f477be |
49952 |
7920 |
Use Short Name Path in Command Line |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
3c0434c2b9b483a1c7879404c2a80556dc54436bf222a970ca7131b1f30079f1 |
48996 |
23650 |
Set Files as System Files Using Attrib.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
62ce96b648991749ff9b9ccc7dafa1d8da64d6490e9f469683f00fa248ef9336 |
48893 |
800 |
RDP Hijacking. Last logged-on user changed. |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
13ed88b8063438c80d6eb6c7e9aeda38d201453d83fa949f65867ced46825db3 |
48327 |
17481 |
Service Binary in Suspicious Folder |
Florian Roth (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
71686ca6fd31ecd29454e2d39e38be5c971f96ad539e461b7d1d79b85f90182a |
44970 |
4260 |
LatentBot malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f5653d51811614b162ab7311b24033c85bf166bbc322d83f4f72d0b9a366a01f |
42523 |
19712 |
Oilrig |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c01baa2540aeb8f23c067318100db0ab3618e37acf7e219372e750398969c606 |
39841 |
22115 |
Shell Open Registry Keys Manipulation |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
cd6c2801be2f14154f9616435303948eacedd79025bd0646cb3c34bb536b7cab |
37513 |
57 |
Suspicious Execution of Powershell with Base64 |
frack113 |
Sigma Integrated Rule Set (GitHub) |
eb75f9de2201bfad4ef177dca85b0b8fa8e5a86ba2357af5301f72acbc5eb144 |
37058 |
1089 |
Suspicious Add Scheduled Task From User AppData Temp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a219a0bf27f7f5f1acdc1fbdd83ff3d3f3711edd5b8111b967d8eb1575aa3b85 |
36801 |
1911 |
Bypass UAC Using DelegateExecute |
frack113 |
Sigma Integrated Rule Set (GitHub) |
da3ec62084336efcb20f4f4e3a94268ca6c1665699d00b48e490be7fc41d2287 |
35716 |
50 |
Tamper Windows Defender - ScriptBlockLogging |
frack113, elhoim, Tim Shelton (fps, alias support) |
Sigma Integrated Rule Set (GitHub) |
c14e1f7f13c2bd7f209d1a9b75c7c313606e7e245601bf31765f2770c858ce09 |
35484 |
584 |
Modification of IE Registry Settings |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7ca43f2acf2c039e776af286dca2b5216d23967e6e8fe43dd5a5cc95f86e52e5 |
35053 |
5528 |
Dot net compiler compiles file from suspicious location |
Joe Security |
Joe Security Rule Set (GitHub) |
76e8bb8877ab40bd84b14fc93daffe9ff7ebe9440ce09916b5c63a302d62c918 |
34860 |
9497 |
Renamed Office Binary Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bb031bd9cea5bfc07d877d0deeef37ed046229fe8cb82202aefe3220d14c8626 |
34700 |
1257 |
HanaLoader (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
38853c8efaf750ffd744961ebcbeb037146acaabb9ca85c445af59f87e98e44d |
33772 |
14530 |
DropboxAES RAT (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8c558244a29064b6842314ce986116d2007b1087f6f8bb45ae883911d0155549 |
33741 |
14539 |
Drops script at startup location |
Joe Security |
Joe Security Rule Set (GitHub) |
196a9c9222e3b003ccb0caadc29931d851129ba863f99545299786a032864d12 |
33730 |
357 |
Reg Add RUN Key |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
aa87efb252a9cf7bb1fb0114336bd08c338bc9046dd498d187c209cd94ddbc6a |
30479 |
366 |
CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
c3e407003db6c8b95e5a7dcbea08bddf8b53b265400c2feb32abfa523336257c |
29625 |
7 |
Suspicious CLR Logs Creation |
omkar72, oscd.community, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
a0cf7d21374ebc3567492775f48033b67b0a81b95521f405e5be52f2950f9d18 |
29575 |
15453 |
PowerShell Web Download |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dac677b84d14788387f1c92fd6733396974f070639fca6be1bbf50df44b426cf |
28498 |
4071 |
vbc.exe execution. |
Den iuzvyk |
SOC Prime Threat Detection Marketplace |
7f5e752d29abb27ef7222f5171fe6719092aa64cb1a11187e75e3efd277216b3 |
27432 |
132 |
Suspicious Process Parents |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
339db70fcafbc2231425e99a4637ca5513d5eadd2f7807a2ad8bc9123ec81129 |
27342 |
24 |
Process Reconnaissance Via Wmic.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c64577166c54aa12e6fafe9322a15fd35e2e359c52a4b545c470853d848557ec |
27140 |
1299 |
Suspicious Windows Service Tampering |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
941abf5111763a135c88b4f6437475eb4c99e8d4c3ebdb4b74e30321695b0fa7 |
26814 |
800 |
Use Short Name Path in Image |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
a913250de417b0235e4fbff14e07a25585d216d2000ee8ef314227987aef7eb0 |
26640 |
10827 |
Remote Thread Creation By Uncommon Source Image |
Perez Diego (@darkquassar), oscd.community |
Sigma Integrated Rule Set (GitHub) |
5242ae9a7c0bb9967f443e598ba4d27edfa69ca76b6fbb7ad0d569f7e9067668 |
26436 |
157 |
Potential Dridex Activity |
Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
11ef2fbb89770dbec860f554810a4e34a33e1326589f9eaf562412ceba567f00 |
26166 |
596 |
Potential Product Reconnaissance Via Wmic.EXE |
Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
04969458bf2b005665d6b29fa937ccdfac26516eac5746c80ed78581033094c3 |
25239 |
648 |
Milum malware detection (WildPressure APT) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
30fcf3924a898a9d1747e89068ab2990c77ca3914a94aa78466d28a9d9da32bb |
24149 |
114 |
CLOP Ransomware detection (Sysmon) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
94b16fc40ce61b0527bd124b84d6a631649e579c2c571a3dc68d4f0f9ee4aa76 |
23309 |
5004 |
Suspicious New Service Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2e9fe41f275cf8282c3e18ce1605f533249acb7b3762d23c128bd0febd22a085 |
23279 |
5873 |
Suspicious Executable File Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a3e8f1f39ee9f212f863aa80fb48e783e942fa1db242be073c5647888fd6b094 |
23120 |
1511 |
Scheduled temp file as task from temp location |
Joe Security |
Joe Security Rule Set (GitHub) |
90af0ea1f6d871f169dfb41b18545bf456f980c5d75f60f1293c34f071f6a31c |
22887 |
144 |
ServiceDll Hijack |
frack113 |
Sigma Integrated Rule Set (GitHub) |
fb1acd0dbf62447f03607a7716d5d6bd489403a486bd8807beba004bab482bdd |
22693 |
486 |
Regasm/Regsvcs Suspicious Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
98a4dc6e84bd2b7671587aaaaa8a8ae8fdd2f8d8880705d12e11f767c77df7c4 |
22617 |
349 |
Dynamic C Sharp Compile Artefact |
frack113 |
Sigma Integrated Rule Set (GitHub) |
764276dba9654bf07d000fa390ae98de360ac172927cf3ef64f2db6c5b9be3b2 |
22601 |
5017 |
Use of W32tm as Timer |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c36744b5f28fd16a3d12551b5ab3040cda78b8771cefa8acaf2dbdd269e4af2b |
22443 |
10453 |
Usage Of Web Request Commands And Cmdlets - ScriptBlock |
James Pemberton / @4A616D6573 |
Sigma Integrated Rule Set (GitHub) |
6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf |
22361 |
3107 |
Oilrig |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
358d598d019422b994aa86b74a025eddf76f526b50d61f4163e79404bbe9ad0e |
22283 |
10377 |
Suspicious DotNET CLR Usage Log Artifact |
frack113, omkar72, oscd.community, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
d3c65dba4df23fb384d566a6730f08957cd6e906ab86db5a042c01a5c4258230 |
22240 |
12300 |
Too Long PowerShell Commandlines |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
4b2c1a09ad8532fd7bf380feea00e848eb5daf3d246d1f4dac0ef853f29bc01c |
21926 |
1428 |
Sakula RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1c2774ed7c4cad91219d007aa7101b09d19b442613cd2e3fc453726a7abd1b1a |
18438 |
9 |
Windows Defender Service Disabled |
Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
5800379600db7e280b56236f291d8f474f097bed4c21c02367049347a8febc40 |
18403 |
58 |
Bad Opsec Defaults Sacrificial Processes With Improper Arguments |
Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
53f67594c85a67cef198b525b556658fa4e46d1e49901472adbc8b7f0ba475a8 |
18360 |
28 |
Suspicious Startup Folder Persistence |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3396956bf20db86e217299b41f051d8e3807a72f92450b595e46cc0a7e70800b |
18313 |
305 |
FlowCloud RAT (TA410 Campaign) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
159df9b8abe4902ba69f24455a788a64edcec473e20be350469118e1c586299d |
18247 |
844 |
Registry Persitence via Service in Safe Mode |
frack113 |
Sigma Integrated Rule Set (GitHub) |
876ae5900040fc2ad5fd69d8477e94869d5e147f2af5c4456d0b099844c20bb5 |
17983 |
4933 |
Hardware Model Reconnaissance Via Wmic.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cfdf6fdaa1841541e46a9c7701402dd4782cd08947692cfdcf86532c87ea3dbc |
17845 |
457 |
Compression Utility Passed Uncommon Directory (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
f4fe24c510771cfebac8ea12b6e86858e92ee0807f17f8dd0e23e2dc5e1b8049 |
17664 |
380 |
Suspicious Execution From GUID Like Folder Names |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
08e7088e12bfe2fa4d351a66754c13a0aa7ea7b70fb40c21ce782ac7321e54e4 |
17627 |
11418 |
Stop Windows Service Via Sc.EXE |
Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dd1cc05e1a1d9416b75088f7ba5586374900fc625479abf320585293e9e21639 |
17096 |
808 |
Created Files by Office Applications |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
5c100e376f43b26c0279b6ecab437d35499a64f73cd9c1b180f62e840eebd2a6 |
17050 |
46 |
Script Initiated Connection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d2ba63dcfd40541d69308865939969a6282a95c29b46e0eaeb0c39701b6aa2f7 |
16865 |
10016 |
Script Initiated Connection to Non-Local Network |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
8d980d509aaf7ca8f2c6cd9dd23e8ea6eb18328ca64711cb6e059ecec024fe0a |
16730 |
9994 |
Use NTFS Short Name in Image |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
53658db80063ea16a40c90c24fa4cdb4a146dec6685cf48c0167318df2cbe20f |
16574 |
1943 |
Suspicious Hacktool Execution - Imphash |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e5df091eea8e09dc9859059928ad9ae436f75c7bc67be324d1582e24fe627533 |
16093 |
10 |
Suspicious Mshta.EXE Execution Patterns |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
31e1f4457871d51593456a4331811513af82fe4e36d2b26a582dd6baa180a91d |
16000 |
716 |
Suspicious PowerShell Invocations - Specific - ProcessCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dc48d8314d305b4c97b9f813958e20738bb989b83928e70ea811bb7c0bf7e197 |
15513 |
156 |
Suspicious Service Binary Directory |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
ecf07e5502e8c93b8a8359e6bde14af9098293d382223c0ecf59834a37cac953 |
15510 |
4 |
Potential Binary Or Script Dropper Via PowerShell |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bda626dd3bfb65bcce23cf31a18f15b58628dc48b2bb5cd9fe5f9ea5f9a3cc8c |
15128 |
525 |
Potential System Information Discovery Via Wmic.EXE |
TropChaud |
Sigma Integrated Rule Set (GitHub) |
0546c2d1b6847c71b54cd4de2f5363edba0cdf02eb90da287ec9c110d3c4af30 |
15084 |
189 |
CoViper Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
17affcf8751489416a8bdd1c7819271220bd9bdd11f595b644b2966c3e3b1b80 |
14959 |
1088 |
CoViper Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
156996684d126da245b795581497a973d9061da14c527920068752bc9a466ecd |
14828 |
452 |
Suspicious Rundll32 Without Any CommandLine Params |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
87574dead19ceb246e10ccb4cb4fd5009c71c46de0d77965d2170bfafc2c3b14 |
14791 |
47 |
Regsvr32 Network Activity |
Dmitriy Lifanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dc313eb40a68f81f4e6cc8b4658215600b2bac992cb67ea873d40ba70e41b7b3 |
14510 |
59 |
HVNC Attack (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
0643197645f9051600e631515cbe8f526e02ae4556e6125c8f9bf640dcc17849 |
14480 |
99 |
rundll32 run dll from internet |
Joe Security |
Joe Security Rule Set (GitHub) |
232de5bd44720ce2fb34b305f8385e685f63ee5e14d8845368072b2fa100a5f6 |
14401 |
10200 |
Group Modification Logging |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
48fbab3f0d31a3776ce8099e24b7c20af280fc9952c2d83fb8e54e4808a7d506 |
14315 |
1032 |
Legitimate Application Dropped Executable |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
a323ff5e5edb2d7bf37ac8071bd7e0943ac4d50e99adf03671a8b5bb0eac5cf0 |
14182 |
92 |
K8h3d campaign (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
2e5a93340aede0794b671d3b3d020fb719a3985e78a96970d36c5c326f2fef34 |
14047 |
321 |
Office Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
0533bf39f662d089d6f317f51a9329a2865ffc0d84552c58c39a8d35672474a4 |
14013 |
11082 |
PowerShell Download and Execution Cradles |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e88280a32f81c8575c3cb9b02910d867498fbf28ca75ca922ad991faa3a68879 |
13519 |
292 |
Suspicious File Created In PerfLogs |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a689c467d9cf931ad8d7fcb39456815daf9e5fb748bad72f1269eb6a8d64c5a0 |
13443 |
0 |
Windows Suspicious Use Of Web Request in CommandLine |
James Pemberton / @4A616D6573 |
Sigma Integrated Rule Set (GitHub) |
f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8 |
13279 |
1216 |
Potential WinAPI Calls Via PowerShell Scripts |
Nikita Nazarov, oscd.community, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
6c44b18934e9ddd288d035d35a258c41fce2d5f5ebafc55ff866a95fb78db9c2 |
13138 |
1398 |
Suspicious Msiexec Execute Arbitrary DLL |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5802db25decfb533c2f29a2580aaef6b1d4833aade450592d1dc36e256141c3c |
13099 |
8761 |
Suspicious PowerShell Child Processes |
Florian Roth (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
2105a0eff0c693326dcb33bbdcfd768fd6c8825061ae9eb48d31703fabf241e5 |
12838 |
919 |
Renamed Rundll32.exe Execution |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9c82223957e793a96ef035ed0c34e45da5cda4718210320cc09615a65b0fb5d1 |
12506 |
33 |
Capture Wi-Fi password |
Joe Security |
Joe Security Rule Set (GitHub) |
2e31c80fe0affb3753d7456883282043c5795a0abd5906589d7b67f0eb04076e |
12438 |
227 |
Modify User Shell Folders Startup Value |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0799d32e125d6df849ced4dc75e232438c118a816477d3f80a390cbd8b4d07ef |
12107 |
47 |
Msiexec Quiet Installation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
269369cff6a753f9bd7a50d72f15b83a86911e2d6d46e1a38561ac385481c372 |
12059 |
5476 |
Regsvr32 Anomaly |
Florian Roth (Nextron Systems), oscd.community, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
455818bf9dc4423de74cdfa396a0735e0fd29acee7f47632575decb468b11cb5 |
11770 |
3205 |
Add file from suspicious location to autostart registry |
Joe Security |
Joe Security Rule Set (GitHub) |
ab2075510415e5fab5635dc30ecec20ea16d6bead9c4397297335c9520922561 |
11656 |
19 |
PoetRAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a9e98f5066d90fefc6c08a2a98baaaeecc9dcfccf65c96170128a898353b6d50 |
11509 |
16 |
System Network Connections Discovery Via Net.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
90412c9cf799f0ce454d95cf6bdbef8b1264fbcde3cd6b065ae6aee265882a86 |
11105 |
1682 |
Suspicious CMD Shell Output Redirect |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9312dc563b7e9a010a22b457fb7cd94e9c686b75dc20fcf8a10236dda0e5e2b4 |
10890 |
918 |
Schtasks Creation Or Modification With SYSTEM Privileges |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a9278f03bce6b217a82c054a78cc6ea5acfebb4b16cd25b7d6cd842bb1dcfd8f |
10625 |
2074 |
Execute DLL with spoofed extension |
Joe Security |
Joe Security Rule Set (GitHub) |
90c63349e180656f865f6206a06dbee57bd3226b32eb61fba3e6c7c4452d4e1d |
10435 |
2828 |
Nymaim Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a9d7fe3dd2aa50123d54b48a488447b37091616c00667ae7c459bf19dd1ad2e0 |
10422 |
14 |
DNS Query To Remote Access Software Domain |
frack113, Connor Martin |
Sigma Integrated Rule Set (GitHub) |
210890087c5c0874ddc8155130ae1218d789f501e70a75ad47c71bbbc76004af |
10115 |
3326 |
Use Icacls to Hide File to Everyone |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2b816898a4d295bb7523cf3cf83af84a641b8f2a145e2ca8b12cdf2ac8193a13 |
9981 |
40 |
Suspicious Csc.exe Source File Folder |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7 |
9868 |
1518 |
Suspicious Command Patterns In Scheduled Task Creation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c6cac3013982f7f078cbf7fdc49b83f80fe4377b7ba4434f2533c34c98a85608 |
9545 |
1518 |
Xmrig |
Joe Security |
Joe Security Rule Set (GitHub) |
c9f2b527fcecda6141fde1caee187052676355bc055141a8caa6c22482fca3ad |
9510 |
5 |
Windows Credential Editor |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
8c09b5d8aeac44d4ad6b76333ab77edf4453d9c7f7db00d879591acfc9f98479 |
9482 |
9 |
Greedy File Deletion Using Del |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c1c4c35f46055951f3124f8f5791b474f919c9dee2a42d1e737590c5eb7169a4 |
9396 |
29 |
Suspicious Binary In User Directory Spawned From Office Application |
Jason Lynch |
Sigma Integrated Rule Set (GitHub) |
fb4acb832d8776634f7ad5e60b2ae16c329118186cc8dcf04d1ce959185c6264 |
9376 |
2 |
Internet Explorer Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
11ecb99add36c59a082a478e7c117545e6404a0b28c77c007c135739df91a489 |
9025 |
2837 |
Disable Windows Defender AV Security Monitoring |
ok @securonix invrep-de, oscd.community, frack113 |
Sigma Integrated Rule Set (GitHub) |
78a8ebe85ceee09aa63f018db033f8616308e95816c4f7429ba0bafe2d0995b9 |
8909 |
67 |
Vulnerable WinRing0 Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6e6298fff951b11ea6aa772fe7d022e50af3068aa7254be68850f49e45e0ed13 |
8819 |
123 |
Console CodePage Lookup Via CHCP |
_pete_0, TheDFIRReport |
Sigma Integrated Rule Set (GitHub) |
3bda98164bb253cb435c3bc30ce36f9f570b187e1481bf7feb1e9468422fd79c |
8618 |
2163 |
Use of GoToAssist Remote Access Software |
frack113 |
Sigma Integrated Rule Set (GitHub) |
df5ad6e42247717e66029569fa91f85ff8a54a54497ee42527054193ce21bc6b |
8400 |
4711 |
Use of LogMeIn Remote Access Software |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2d50b92426dd9dacf9cb8f8155e01c1358138fea49e2459c140ebd54d3e45990 |
8400 |
4711 |
Obfuscated Command Line Using Special Unicode Characters |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1afbb49fc8fb15fab2d75349956e426d182cdd6d06760b6d83594535a112fb1f |
8357 |
558 |
Firewall Rule Deleted Via Netsh.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
052f94156672e1511386806889ab6346ea81a8f49f98a8610ce616ee7a9ae931 |
8032 |
2175 |
Suspicious Execution of Systeminfo |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f2a81aa24c1d19a09711179a71cd58fe057ab277cbef8632cc6a9281d5cf87dd |
7893 |
1145 |
Suspicious Curl.EXE Download |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d86dfee683d0e96803dc8a153d15f7208afc774045e2d885ccaec10bdcef7831 |
7818 |
2201 |
Reg Add Suspicious Paths |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
4ed42e9d011d5674f2f07c78f41b8a2bfd742ee689b7a57fce8316e002688075 |
7794 |
636 |
Stop Windows Service Via Net.EXE |
Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5b84c64b930b911c8206935d6c61b2a128347a34d495da3ea3523cdf5397c3ef |
7725 |
1292 |
Tycoon Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c2a677a155b0fd75d813c22a6dc0d1632310c42fafb3c2d5cb08090c75ce491e |
7655 |
345 |
Conhost Parent Process Executions |
omkar72 |
Sigma Integrated Rule Set (GitHub) |
7b87fbdccf3c12011b709aab8b9bd4642bd61dc9880e0e1ce9ebb9901e2a3497 |
7629 |
228 |
LOLBAS conhost.exe (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
b29d2dfc7edb1018f0384c6a0606a6f59a25bb2e9e1ff8a0fa4bad79d7d4121e |
7629 |
228 |
Disable Windows Defender Functionalities Via Registry Keys |
AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
387844917f76d926b5dde6a796bcdb423a54d6df4ab736e7752fb73dc931e400 |
7627 |
455 |
Vulnerable Driver Load |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
efe6f377eb5896688f0baa7d44db4fc8d0639fa43f0d3dbb262bde8a7eb7b453 |
7467 |
307 |
CARROTBAT Malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e5937a80eca18cdaa94adaf02b89a4af91bb9605d3236af13685c8b481d9b1b1 |
7128 |
35 |
Suspicious Remote Thread Target |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
35516fc873ed87d5b0b7a43b8533ffc2f5caa47a50e9166c663b25628f65fed4 |
7029 |
663 |
Potential Binary Impersonating Sysinternals Tools |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8652ffc2b3174864b7f93e2652bbeaa97cba1ce3a0949c10a85ea086c2478680 |
7028 |
398 |
BackSwap Trojan detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a5470af7af21c2bc99ebc438fe841b20ec62f530e6540dc01ce42deed3ffb1eb |
7026 |
24 |
WScript or CScript Dropper - File |
Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
858185cf49c680890b5a26787055bc3518a78b5c5f6fc2df09e5516b191cef8c |
6779 |
142 |
Potential Persistence Via Visual Studio Tools for Office |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
c04f755b9283e9e31eead7707a061225ee4da75cf49c91823ff8aa1d7e026551 |
6590 |
5506 |
Sakula RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
68a19d3c88378331526d97065cc73f033a6ff79b1ebd046f7d815d967bd2dd69 |
6530 |
0 |
Potential Execution of Sysinternals Tools |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
c718a898b26d6c8f64602f1b33c49df17864599a9ba4a879a1ac22848dbda174 |
6441 |
1713 |
Service Registry Key Deleted Via Reg.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
024bac7758bc9b41b74cd867afe686054dabf2eddd7128488f92797af3459361 |
6382 |
294 |
Unusual Parent Process For Cmd.EXE |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
16502dbca7468597f52d37ca5a5a0f5c904c43f0ca2b6726d890a67a63b68516 |
6256 |
15 |
SafeBoot Registry Key Deleted Via Reg.EXE |
Nasreddine Bencherchali (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
4202d03bb66c7e22943582a6959ff86dea30b0493ca74ce160940b0daf7b2797 |
6159 |
48 |
Shadow Copies Deletion Using Operating Systems Utilities |
Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
ad5e4d4b939797a70a9aa742d979a4742c2cfedddd663fb1a43b2795c1e6054b |
6155 |
107 |
Potential WinAPI Calls Via CommandLine |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7d53de0fb9c4ee79b8ab06605cd3a8faaa400a586d577c9a7d692f059a3ac78c |
6021 |
3504 |
Suspicious MsiExec Embedding Parent |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f46fb5682ba3b26a58530a0f49196fd4253c14c4e64dd7069f21357e3d079509 |
5973 |
3114 |
Tycoon Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4a1bfdd64820625ce8a3a3a1703ba1575511aa7971c4320893b9fa4b51c65a4a |
5928 |
243 |
Malicious payloads that are hidden in fake Windows error logs |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a0266c26a19ccfed14f484c3055ab6ca00bdb3123ee47a1a36410d63d33650ad |
5711 |
1108 |
Droppers Exploiting CVE-2017-11882 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ea2bef709a3e478516f914938492950992d22f0077ede5a561e60f2c092f4dec |
5553 |
3530 |
Suspicious Schtasks Schedule Types |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
83e48c48a7932749737a7bd38f5caa95e168e9a37a1d0730ffa0349f567f2895 |
5336 |
106 |
Windows Shell/Scripting Application File Write to Suspicious Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
248820e948efae04f89b524348c8398f0b278befcaec4fafddf73e9c5dda0353 |
5266 |
238 |
Suspicious PowerShell Encoded Command Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
12273189dbbd1ed526c045fb9a7d5e45682ba4e0a13e2e94d65376962a0bfc2e |
5190 |
304 |
Malicious payloads that are hidden in fake Windows error logs |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e55945cd70c0ffa247fd76996326089548147e223588b2b6aeef053c1c0ce613 |
5165 |
1420 |
Drops fake system file at system root drive |
Joe Security |
Joe Security Rule Set (GitHub) |
4754f502f65f5684ed3a2e0c3b8615d89d16535a2ad1fe25ac93f82423267ae1 |
5028 |
4 |
PowerShell Module File Created By Non-PowerShell Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b8c95f5909e68be942c69ab250a3b47557e33b2d1d582cd72e665210efeadb8f |
4968 |
5 |
Suspicious PowerShell Get Current User |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c0ad3fd3010dc41b8f54cd4f911b4bf081d2d195b0e7548cdc60ebcee9250ad3 |
4845 |
2706 |
Computer System Reconnaissance Via Wmic.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c8e910a6a612d2b2556bdcc91dfca15a43385b8571e490ed29c46ef1a3e5e144 |
4777 |
428 |
Regsvr32 Command Line Without DLL |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
c0cdd12b4805f2aebecbc0415332f2594acf1ae6d8d82da086eeac9a84bf0c37 |
4739 |
586 |
Suspicious PowerShell Download - Powershell Script |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
124bf07ac70743e91b5698e3731aae0330fc182aa58036390f2a0457a90b5341 |
4732 |
562 |
UNC2452 Process Creation Patterns |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
f282a8660328d20195770b77f51561e6885408fc2136a6916d0380839cf39301 |
4731 |
4 |
Files And Subdirectories Listing Using Dir |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7752bbd4e940ef58081260cfa45b4ac6b149e2cecb836d79f5e61bfbdc237105 |
4706 |
655 |
Stop multiple services |
Joe Security |
Joe Security Rule Set (GitHub) |
2319d1843957b572c6e41e1d83656e12eac1e5e75f59ac1ccc309c2b00e9ef86 |
4631 |
28 |
LOLBAS rundll32 with unexpected forward slash paths (via cmdline) |
SOC Prime Team, @SBousseaden |
SOC Prime Threat Detection Marketplace |
4df0b9d85eb21989ce009f134a8fae2edde67a305237b09a9daae0c40abae0ac |
4613 |
1869 |
Creation of an WerFault.exe in Unusual Folder |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4469b0111d1f4747a00542caf4ceadd719bff3e7e6e21793e9446d294be895bb |
4524 |
114 |
Suspicious LDAP Domain Access |
frack113 |
Sigma Integrated Rule Set (GitHub) |
16b459cba08f0827ee9607be238b1582dfd3717c30b129b5f215736d5a3c3e1b |
4314 |
1081 |
Powershell Defender Disable Scan Feature |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
452d2469c7cd2c2065eaf39a671afb28d62803ea89003d82491c0e02559fcb9d |
4289 |
379 |
Wscript Shell Run In CommandLine |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
83ab725e0e176c0c59e352231c53ea9aca280a122aaa1c79b3ac8cd955147dab |
4285 |
71 |
DNS Query for Anonfiles.com Domain - Sysmon |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
21c4870bc492f9b979f795cb98b5fd283fad4043432a9c3cd239097f04e945ee |
4140 |
67 |
PUA - WebBrowserPassView Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
33f5c9533af9250ea025177bce3fdac08e97300ebdcb88f194c75a49a985bcfb |
4100 |
9 |
New Lolbin Process by Office Applications |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update) |
Sigma Integrated Rule Set (GitHub) |
8a45e61fc1757825afcd5eca531a7940c6b8fd8ed95faee7b3ea517339e0ee17 |
4009 |
218 |
CARROTBAT Malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
5244e0d5e7e39e2209c4a02fd25867f6008966d611f19da634de6505358c95a6 |
3882 |
11 |
BackSwap Trojan detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6cf0858071345dfa209de5be9510786314771819c7ae412dbfe82b134cb3697c |
3835 |
6 |
Suspicious aspnet_compiler.exe Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c72e2995683af253e803fa2fe4fb02eab21f864cf7e63657b4c1f5a21e5cd421 |
3806 |
9 |
Remote Access Tool - Anydesk Execution From Suspicious Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e8f71f8fe8e705cebda4bbb0636db89fdd3c7b9c2faebe19bac1e6d0d6db37c5 |
3786 |
1424 |
Use of ScreenConnect Remote Access Software |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4e5183fbf4eb55f1facacd3e44e6d35245f2dea793693a25f292b52509cbdb72 |
3775 |
290 |
Pyvil RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1b78637b79c8dffe83e4631ca8812c2cab4799547d30fb65df21e42f1894053f |
3726 |
1846 |
Installation of TeamViewer Desktop |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2495a5176f32a1fe533956bb584ac28d8b3080d4d27a4a91f60fcf3c24bbfabe |
3674 |
2087 |
Service Binary in Temp Folder |
frack113 |
Sigma Integrated Rule Set (GitHub) |
36e24eb60fb7bfe4a61d59d53220df514ceab13a68a4221cf5b7d120d53c4a3e |
3629 |
467 |
Bypass UAC Using Event Viewer |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a0f94cedc18c397f576619978b15265938adc1cba9d431467d50db98d8a79972 |
3612 |
7 |
Xwizard DLL Sideloading |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
96b3df20cf0336e4751b0a85d9786ada6ce7185e05988a511f646967e712cc1d |
3571 |
9 |
User Added to Local Administrators |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
534ecedeba777d436d37888757fcae6c00842f791bdcb6c39d8c804ab3c6a535 |
3525 |
57 |
Windows Defender Exclusions Added - PowerShell |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
cf863dff3d564c975d28d336cb7981fcd6956e6fb9afbd2794f600b130e83171 |
3510 |
65 |
CMSTP UAC Bypass via COM Object Access |
Nik Seetharaman, Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a30845acd045e920f165087e59ac6d9461f6c4bfadfa52e4c518e3bcb9d8cb0c |
3501 |
17 |
Suspicious Network Connection to IP Lookup Service APIs |
Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7b06f86400ae084ca05c7e2cefe70b8ea4910b6196d969ae516b9d5d1c99bfe5 |
3476 |
59 |
Vulnerable Driver Load By Name |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8f6a6cfb95501925772edc51e1db78dd76eea0e212ed3a9923b1a0de9d552371 |
3434 |
998 |
Suspicious Powershell In Registry Run Keys |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
cfe58f03c01bfef6fd133a3da09440cc5613a5dbeb310ee795cc443e18538943 |
3176 |
88 |
Powershell Decrypt And Execute Base64 Data |
Joe Security |
Joe Security Rule Set (GitHub) |
d77da6b7c1a6f6530b4eb82ca84407ff02947b235ab29c94eade944c4f51e499 |
3161 |
6 |
Potential Persistence Via App Paths Default Property |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cef4d3e30776e7c2f6f9875e0ccd23b74182701da04f922481d50f37c50281d2 |
3139 |
1320 |
Suspicious Process Discovery With Get-Process |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b0d225f3239543a37159ba2855ee1e7972c6bff3c83ce7aed9056599f6ee6314 |
3137 |
700 |
Dllhost.EXE Execution Anomaly |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
55e193a1988b8c8a7a5a6a43dd2962320dedbc26a63c88ad59d1df2fa6897da6 |
3061 |
22 |
Windows Defender Threat Detection Disabled - Registry |
Ján Trenčanský, frack113, AlertIQ |
Sigma Integrated Rule Set (GitHub) |
baa17a6a8681c2a3d925f497f9c81458eab98535fd28d8909861aece2b9cb901 |
3039 |
45 |
Potential Dosfuscation Activity |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3ced86caf89e0cb118bce2037de20fae8f9a70e400916dcdd9c2ee1eec7c58c4 |
3001 |
48 |
Powershell Base64 Encoded MpPreference Cmdlet |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f86d8f196029958699a0b36a9a1a254d7c1bfc594fd486ee04c1e4988965f3b2 |
2955 |
229 |
Sticky Key Like Backdoor Usage - Registry |
Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dd211e6e9cebdae07f1d14d61650061c791829402d134a1a9e064ae72b6c4cd9 |
2936 |
67 |
WinSock2 Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
688632515df3a00cecdf2ee4e9316bea52edf73c9cb0889c10d336de857c293c |
2927 |
296 |
Rundll32 InstallScreenSaver Execution |
Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec |
Sigma Integrated Rule Set (GitHub) |
e6082733e3e0087a0d92bb4d25eb43218d2a86b3681b4d5ee37ab8c2e6ecde4d |
2839 |
917 |
Suspicious Msbuild Execution By Uncommon Parent Process |
frack113 |
Sigma Integrated Rule Set (GitHub) |
99aac26486266b4916c883cf9ec793784cff9e6617ed361b8c47f7972a4baf46 |
2800 |
11 |
Suspicious Invoke-WebRequest Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
56fe16e9bd72e77ff37f1ceaab3ee67231b676c732b7ff10556298e7a60590e7 |
2775 |
499 |
A Rule Has Been Deleted From The Windows Firewall Exception List |
frack113 |
Sigma Integrated Rule Set (GitHub) |
67a0e8c868b0d9e328cacb80b1deb06682096f1919a50ecd953a8b4cc9a1d01e |
2754 |
2174 |
New Firewall Rule Added In Windows Firewall Exception List |
frack113 |
Sigma Integrated Rule Set (GitHub) |
67d7bc69b082fefa483232989806870ecde5e6bcb70d0db262c428e845ce0eff |
2754 |
2174 |
Windows Firewall Settings Have Been Changed |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
693c36f61ac022fd66354b440464f490058c22b984ba1bef05ca246aba210ed1 |
2754 |
2174 |
Powershell Execute Batch Script |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ece68c3b6fda1fe5c7d8707c5dd9099cf564ed0e7e7b480e97278c475f10e5a7 |
2750 |
201 |
Directory Removal Via Rmdir |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d0d48610cfc4076f9598a2787593e35702aa291f3772b3678c8025aacc26c35d |
2747 |
712 |
Disable Important Scheduled Task |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
09601976d693769f1fe442a0618410420380d7de7aeec4e52c0ebe6e3ebebe56 |
2696 |
90 |
Powershell Download and Execute IEX |
Joe Security |
Joe Security Rule Set (GitHub) |
317ff64a1d49452191210f7b55d7201e483352440ec851a9c716f6be7cfb7ec9 |
2692 |
119 |
Suspicious PowerShell Invocations - Specific |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
7d262d8417cb03b2a9d2b935ae55980f22abc3aa7cffc36e57eda761068226dc |
2690 |
175 |
Suspicious Scheduled Task Creation via Masqueraded XML File |
Swachchhanda Shrawan Poudel, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
b0f576aead127b964909d75f26e113ee55e88fb8d2bac31fe4a5c12337b4f327 |
2683 |
13 |
Frat Trojan (Loader detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e5340d719fcf66efd2a0ce9db73895f3154a53e10e72e001760230ca6aa22057 |
2676 |
0 |
ChChes Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a515be8db5d265bf43ba29f21c53f4e482fa0f7db4acc10054e85bc0c516a7ba |
2643 |
445 |
Share And Session Enumeration Using Net.EXE |
Endgame, JHasenbusch (ported for oscd.community) |
Sigma Integrated Rule Set (GitHub) |
7cb4a3985bd24a137550fa4c49b1da3fb949c3cf182a90950438e97aaad46378 |
2643 |
384 |
Use of Anydesk Remote Access Software |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0c4da16b3166fbd90cadb96254a8be0f74828fc4eb967256ac0483d9d0a10a96 |
2616 |
1127 |
Pykspa Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
daabc950b44baa5580ce5e56de6f2f363ce1854a5273ffd3ac321453e35a83b0 |
2603 |
31 |
Shell32 DLL Execution in Suspicious Directory |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fbd6086058f7f1742827e4bf39c6a7b3d7cc32120c2f2cd39a924363da2fe8f6 |
2596 |
2 |
Suspicious Ping/Del Command Combination |
Ilya Krestinichev |
Sigma Integrated Rule Set (GitHub) |
2e58fcf707ea25a6c7465ae2a0d4b35ff302cceb7b8fde4ac5d3467d832e005e |
2564 |
531 |
Add DisallowRun Execution to Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
aaeb77150a9427eedfb3c4c85538e120e703cd22905d020b93856bb7ebdb03a7 |
2561 |
0 |
Suspicious PowerShell Keywords |
Florian Roth, Perez Diego (@darkquassar) |
Sigma Integrated Rule Set (GitHub) |
a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d |
2560 |
417 |
SC.EXE Query Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
373890127a34a7d314b3d10d451aaacb806579ec3e9ed2515dbdd0a4d4bf7860 |
2453 |
881 |
Firewall Rule Modified In The Windows Firewall Exception List |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1b4845df7f68549988add5335d4685cb047e4eaabd5768d84a5483935b0d5499 |
2421 |
1905 |
Trickbot Malware Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1c7a83aaaaf300f7e44e597465797c7e812cc0c684756d1be37d0ac7acf0dc5c |
2406 |
0 |
Pyvil RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e1ca1eef7de3f782d09979e606d626e690c8a52046acf75e7a5de3203cd0a570 |
2376 |
821 |
Net WebClient Casing Anomalies |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2b81c8afee92062579f4f19ea901c1194542107857913a32a13108debb721c71 |
2363 |
20 |
Potential Crypto Mining Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6bbafdf03b2a79de4fa71f3fec777333b907de6172939c7a35b5bed23d4a4b82 |
2325 |
3 |
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell |
Markus Neis @Karneades |
Sigma Integrated Rule Set (GitHub) |
1ca8739651295d88708cb5ddfb7a115ae0d202152a80ee4c7871e62f3509c938 |
2322 |
4 |
Suspicious Characters in CommandLine |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8d9898d05ff5a6ca099b0ec5f7aee9f3581d649c0ac4f2cf24f874e95d19d5ac |
2317 |
329 |
Ie4uinit Lolbin Use From Invalid Path |
frack113 |
Sigma Integrated Rule Set (GitHub) |
186b21df711a2c225bc97a789a6794326e96247d7982569c6a23484bb7fd61fa |
2286 |
481 |
Suspicious Group And Account Reconnaissance Activity Using Net.EXE |
Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6782835a8af9329207a47fe5076c3dff20a8803bafbda97ddc938ae379eaf8df |
2266 |
202 |
Suspicious Execution of Hostname |
frack113 |
Sigma Integrated Rule Set (GitHub) |
87d10b87f13ab6dd0ee17c311d476bcf6fce51f746e639542c1c6c08b6ae8071 |
2236 |
472 |
UAC Bypass via ICMLuaUtil |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2219766fcc5e77936dbd9b7310a20b2ba3f5b4aac858c6ac312c81fcc2838d4a |
2206 |
15 |
Delete shadow copy via WMIC |
Joe Security |
Joe Security Rule Set (GitHub) |
be6d29855558a0e8c404486d8f1838ce35594866f126f9c1c62a9792e9c76be2 |
2134 |
12 |
File Download Via Curl.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2ba177894c99b540ea867640a2706237f274cc5b176aeae69bbe985e11bb1b06 |
2123 |
1052 |
Conhost Spawned By Uncommon Parent Process |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
6f60707627a0617e86bd3005d8ce73a34fa6e674c0169d593509953d67bfaa2e |
2111 |
504 |
Potential Suspicious Registry File Imported Via Reg.EXE |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
7c610f9de41fe35b34a2cbbdb30ffc39573016dafe890f4164dae07613c21fd7 |
2096 |
429 |
Suspicious Execution of Shutdown |
frack113 |
Sigma Integrated Rule Set (GitHub) |
157ee4e95270f64481c50464c0e4766830e1e2b38b214a98f9e3f977857c6c69 |
2075 |
287 |
Office Macro File Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
27801b0f98df1ce7686b07b693c59e734c47189ef3db24ea1093f6f00ff2ed67 |
2049 |
1180 |
Suspicious PowerShell Invocations - Specific - PowerShell Module |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
355b439d3a90c89090f6f266afd2306ad6a03e5ca79228ad1be6e9cb6940491b |
2046 |
28 |
Remote Access Tool - NetSupport Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
65cfc106cf4668ef2ff3c230ac24edd977515d2743358a7e4015e31ea26a4cae |
2025 |
191 |
Windows Defender Real-Time Protection Disabled |
AlertIQ |
Sigma Integrated Rule Set (GitHub) |
19a5c3cad343931aed1e013cfe07ab95ba7b853ee5b40c6828fc766529e602bf |
2003 |
26 |
Potential Product Class Reconnaissance Via Wmic.EXE |
Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fc6236ee6917b72dac2442d623fbec008944e69e1788346494f1f98b38acb5c9 |
1979 |
88 |
Registry Hide Function from User |
frack113 |
Sigma Integrated Rule Set (GitHub) |
82ee39002b5715b57e2aa8b1d93068fa1c6e7147795a59563c5812d827f7f3de |
1938 |
10 |
PowerShell Script Run in AppData |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4975d97d556849fe2e336bf1c8a5012b84eefe1d4059c527aaa8ec3f903022b2 |
1934 |
432 |
Register Wscript In Run Key |
Joe Security |
Joe Security Rule Set (GitHub) |
530f42d2839f1cd12564a3743f6b294d960920a76da960e2c17e5337c43df9c4 |
1934 |
22 |
Windows Defender Threat Detection Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
41872a2c86ff9bf310cf8a81b0235040c25793f1fe6255fdc5bf771cd716ddfc |
1912 |
1145 |
PoetRAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8d515240682e798faa78be0b976770c35f93bbf484d6a3876b1f640670a5aaee |
1879 |
4 |
Use of Forfiles For Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1b7c75c23f2baad2051b96c094a3e6fd1d3f27a92c0518c2cfd7257229c57a72 |
1867 |
129 |
Uncommon One Time Only Scheduled Task At 00:00 |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
85cd399008ef4733657024eb14bcee01c9eda5cb5a070f2f186550293ebe4d29 |
1858 |
19 |
Suspicious File Creation In Uncommon AppData Folder |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8c035500d22804f658be72a55a2b5d591891e0a77e57447d0f0c6f62f89e9ade |
1852 |
65 |
Parent in Public Folder Suspicious Process |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
84c8381801022afb55be7429db7a75474adba79984c4b957f33c62e931b0f282 |
1850 |
5 |
Common Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) |
Sigma Integrated Rule Set (GitHub) |
aa1c4ee10caaa9d521b34246c51e0c22c8af0a4b7fdb1cdd9faf1182ef6dd14c |
1840 |
11 |
Wab Execution From Non Default Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ee4aa57ce6316f4a46bc9e62a1748e7d5d687ad6315114f4d4eff654910c961c |
1837 |
150 |
Reg Disable Security Service |
Florian Roth (Nextron Systems), John Lambert (idea), elhoim |
Sigma Integrated Rule Set (GitHub) |
0c3e5c376a4a569ab4a4f3217dd009bb34e695e5fa82da85111db47f2b801bc9 |
1809 |
91 |
Suspicious PowerShell WindowStyle Option |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101 |
1790 |
161 |
Suspicious Program Names |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
3dd877e77def39df894b8703b956bdc819796feea2cf44bef9f73339d5a37b5c |
1768 |
184 |
File Dropped By EQNEDT32EXE |
Joe Security |
Joe Security Rule Set (GitHub) |
4740c645e33c5fbe1595ad953f030f0aa29f78fcbd141282536d02587eb05d0f |
1764 |
0 |
Frat Trojan (Loader detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ba827fe25e86d6bf964385767d27442482e273923ce0185d7c335239fda7a2b2 |
1764 |
0 |
Suspicious PowerShell Download and Execute Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bdb4652f83b1c4482478b0c14bcb08d332fcd600a7303ab1c709c543499be726 |
1708 |
36 |
Gzip Archive Decode Via PowerShell |
Hieu Tran |
Sigma Integrated Rule Set (GitHub) |
0df382f7e3b997a4d0a5cf1e3096ed303ea8bef29d4a223899b1bd70c251bc33 |
1697 |
478 |
Possible new Cobalt Strike dropper |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
3cb32dc8f1ba61964f235761eac5b49d22264f521e003ce641a508eaff8d0eec |
1691 |
583 |
Application Removed Via Wmic.EXE |
frac113 |
Sigma Integrated Rule Set (GitHub) |
51aa013b39842efa6b0daa94240755c0d8b9d7b71b5cf5cc482247a3c7b8bc57 |
1629 |
363 |
Winrar Execution in Non-Standard Folder |
Florian Roth, Tigzy |
Sigma Integrated Rule Set (GitHub) |
99b7b3abf0ce8f702d10cc3f120ed16591df3c13fbda30b46e0623d93cdac439 |
1628 |
731 |
Squirrel Lolbin |
Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
556a1aa7c513ecf9a4f6edfb0176deb074a2cf1447650e01766fe9efee338c35 |
1618 |
782 |
Set Suspicious Files as System Files Using Attrib.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afdcecbde34527044e8c4c24e502ed3dfae6daa2d07665ad18226afff77ed6fe |
1615 |
42 |
Finger.exe Suspicious Invocation |
Florian Roth (Nextron Systems), omkar72, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7014c2ce26877573641173ba99dcd8d8af4f637986c42be19651a8a37c5ead6f |
1607 |
39 |
Registry Modification Via Regini.EXE |
Eli Salem, Sander Wiebing, oscd.community |
Sigma Integrated Rule Set (GitHub) |
876619ed554fa68bef3ccfc88d359efb8c1f05d0781e13279ff3c4ff29f4989d |
1591 |
191 |
Suspicious Certutil Command Usage |
Florian Roth (Nextron Systems), juju4, keepwatch |
Sigma Integrated Rule Set (GitHub) |
f1e311405e4ccc1c99ed8213bdc24b813560700daa47ca78033edd0d8993ba04 |
1556 |
217 |
Wscript Execution from Non C Drive |
Aaron Herman |
Sigma Integrated Rule Set (GitHub) |
2f480881c25523a22197ce2abfca8d05a61f804534f8a053fbf65303a9375332 |
1548 |
108 |
Lolbins Process Creation with WmiPrvse |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
eb1dbd652c505f66652af5683ecfecaacb1483523b07254e9d1eaee151af6ec9 |
1494 |
2 |
Powerup Write Hijack DLL |
Subhash Popuri (@pbssubhash) |
Sigma Integrated Rule Set (GitHub) |
c50b384b3d0f5d468c48abf6ac8fd6095727405ed00d170aeadf0fc1b4add34b |
1491 |
47 |
DriverQuery.EXE Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a67413f6ee51de2df640e8a66bd1d745d4e44207f484cbd3b33ac3b3fcbb0688 |
1458 |
92 |
Creation Exe for Service with Unquoted Path |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3b925709ef1196fbdf20c495c5a7972944bd56a4ab342009ef41e3f3273c15af |
1448 |
0 |
Boot Configuration Tampering Via Bcdedit.EXE |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
2da0b3cba5dc2b56e1426049598590c54a224e6d15740b9b07c108e089c84520 |
1447 |
47 |
Windows Defender Threat Detected |
Ján Trenčanský |
Sigma Integrated Rule Set (GitHub) |
cf90b923dcb2c8192e6651425886607684aac6680bf25b20c39ae3f8743aebf1 |
1445 |
1143 |
Suspicious Recursive Takeown |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f3043e9cf491489279145a8ffefa67bbe2fc398be8117092c11cdfdc2f9768e7 |
1444 |
1048 |
RunDLL32 Spawning Explorer |
elhoim, CD_ROM_ |
Sigma Integrated Rule Set (GitHub) |
ac298c53d8d1f5e60dfe82fb023ca044b4a7477be65c3b5eab997e0e9cf64528 |
1436 |
140 |
Remote Access Tool - NetSupport Execution From Unusual Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0c574c15cc6c9a17edd7b81b15044dd26631d2a7f6c2d428c6d68d9816e6b84d |
1403 |
113 |
Ilasm Lolbin Use Compile C-Sharp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
611acd0c150597ac4f2758e96797e2e85ce476be43fdec2817e9cd8bcd44de66 |
1396 |
132 |
Potential Emotet Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ada08103432e4112d167b1d10f0fc02281936c8fcb181de17d5bca07755bac84 |
1373 |
4 |
Legitimate Application Dropped Script |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
2d15bc5d08223728e30ed4330ad99024b1467ac8ddb073e7ed368b0468898e80 |
1366 |
324 |
Whoami.EXE Execution Anomaly |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
05b85f64fdf521b059aab9daf9d75829fa4a5febd27fe09ac0224e405b57a654 |
1355 |
188 |
Browser Started with Remote Debugging |
pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4eba2a7f729f2c02ec972ed01919c8bf5d2b8493f9d6a934f14cf0d3a55d14db |
1344 |
135 |
Service Reconnaissance Via Wmic.EXE |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d9ee3f478c792e1c6683bb60949d7041271eaeee5e5927b518a6f65e7da2607e |
1295 |
80 |
DNS Query Tor Onion Address - Sysmon |
frack113 |
Sigma Integrated Rule Set (GitHub) |
674f76f777472c9d2fd1dbb116a9a1a6bf35dac71c41ca14a21ac0493d7f471c |
1291 |
87 |
Powershell Token Obfuscation - Powershell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0328ed59c29ebeee509b67ed087523a3cbfc646542f343aa12f9b1bbd64324fe |
1265 |
408 |
Suspicious GrpConv Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aa2a49ac8cb28455a3f30cf373b4ee1ade0b735bc1db5a574956be8f95fcf6d7 |
1253 |
470 |
ilasm.exe execution |
Den iuzvyk |
SOC Prime Threat Detection Marketplace |
382ffab0f18db16a9fabc5be94893af76646b4a1c35d436ba2ae16961943008e |
1244 |
42 |
Writing Of Malicious Files To The Fonts Folder |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
50cc064f594178311fd316bf296afdcb85c962c45cbc15ab0984ca5de2940d67 |
1221 |
4 |
North Korean RAT - BLINDINGCAN (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6bb61b38bbb774f185f535cafe7a2fc3b848377409dde9963a571d825562c79a |
1220 |
1 |
Potential Rundll32 Execution With DLL Stored In ADS |
Harjot Singh, '@cyb3rjy0t' |
Sigma Integrated Rule Set (GitHub) |
115d14851bb2ec7497bd4b28be653bf38f285d93d2dc7bbe1c9c7ac94a76da3f |
1211 |
286 |
Suspicious Curl Change User Agents |
frack113 |
Sigma Integrated Rule Set (GitHub) |
93f12e3e5c1af45ad5cce51fca771889beae9d1da27d23d889c557f217fc803f |
1203 |
13 |
Usage of Renamed Sysinternals Tools - RegistrySet |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
96f6bdacbe2704258d0efb6732980de5d8c8fb4c21f34072ec9e4e2267271ec0 |
1189 |
116 |
Cabinet File Expansion |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
2c33916c73b8057eb865f965b0e9e05fddeae85fa5405eee775a7df4cd58173d |
1187 |
390 |
Use of UltraVNC Remote Access Software |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b6d588df62f37e97081e8f05b809fb56a925b1514f359dca67c7b51fe46c6812 |
1184 |
297 |
Suspicious PowerShell Download - PoshModule |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
69130b2eb287f08303a7092222cc3a0be896a066b64f8b32f96d08ff4708e37f |
1175 |
53 |
Change Default File Association To Executable Via Assoc |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7fb55b14b0522200d56a9829ce919bc7a3bb320b473d376575989fde5e57f8d3 |
1170 |
0 |
Possible Ransomware or Unauthorized MBR Modifications |
@neu5ron |
Sigma Integrated Rule Set (GitHub) |
388ce51cb79d4deced7fce86e5dcf1e2eec1c04720fb2fc7e451d12abbd53416 |
1170 |
324 |
Bladabindi backdoor |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f47281ceea7e998eb629b82b6be68c1aaa23f6b18111420b7a52cd72b575f527 |
1169 |
1 |
Always Install Elevated Windows Installer |
Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
b7188ffaa64031d83c409b5110885c29570d52a6ba3bacaee0392371cf071016 |
1154 |
473 |
Excel Network Connections |
Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
cfd44c3835317e846b18021a9060f4b9b011294ec53eb3ac1fad568abeb37922 |
1140 |
899 |
Relevant Anti-Virus Event |
Florian Roth, Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
39e7fb552f1143dc6ba79ca293aaea514c20448ec6241a53cf150f29298b942d |
1140 |
185 |
Remotely Hosted HTA File Executed Via Mshta.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
25fb50db6056bc3db5e2f3d8d53b6ef8b6fad41ac3ecaf0386e316bd1711baf0 |
1121 |
52 |
Suspicious Driver Install by pnputil.exe |
Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8fd9d688a4929d85f6ba829ccf0fe235ff5f6bcc6ac25306e6425671b81eaa80 |
1117 |
881 |
PUA - NirCmd Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b206243f31b4de9b9721047301fe3728fcfc85f7c7db682bd477e0d7c41093b1 |
1112 |
73 |
Add User to Local Administrators Group |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fd4f9d3b927e38cad7f6a36f5f41cae6a1450b551d9506408259953d8d4ee23d |
1093 |
128 |
Wab/Wabmig Unusual Parent Or Child Processes |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1c3bd5d3931125cc632573be718453c2b36b0f1392032fda05ad4d1982d1c0cc |
1091 |
0 |
HackTool - SecurityXploded Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b097e888f96f943b0d94d7835326dbbc76b3cf117fd9407832fbace74cb60f48 |
1086 |
51 |
HackTool - UACMe Akagi Execution |
Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3c4f6f1af78c01c8d7d6fcdd27c3167044933fcdf73f667e973ce1068765ea16 |
1055 |
4 |
Operation Vicious Panda (COVID-19 Campaign) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
cf68f11f087c4b3b504b67cb0a9e4a499e486a6de10aee0811ab515d3336d7f1 |
1021 |
30 |
CMSTP Execution Process Creation |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
4ef4d3aed2ed44386659d6aefb7649de9568189358f367fb8708d1870d19fdc7 |
1019 |
80 |
Potential Raspberry Robin Dot Ending File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
36337e6a48c8f0ee0480d1739b35c93b2d000d9b86a4ac01dbf80b5960b6db32 |
1000 |
669 |
Suspicious LNK Double Extension File |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
a22ff20d7afa397abe4e6127e6da647b437781be86602fc20a88c1403f1200bc |
998 |
709 |
Malicious PowerShell Keywords |
Sean Metcalf (source), Florian Roth (rule) |
Sigma Integrated Rule Set (GitHub) |
5bd56545b7e384edee75e378b7ee025e05f6bcb012607cb6425ccedd54fdb070 |
996 |
49 |
PowerShell Script With File Upload Capabilities |
frack113 |
Sigma Integrated Rule Set (GitHub) |
80e1441e8251586c742da610b4bceb4d94fbe79f4e8b64b9745b6a11da90d7c1 |
994 |
220 |
Script Interpreter Execution From Suspicious Folder |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
92acfd50d9fe4d995d6998a5346e4e031ea037d422458bb4f74555a52ffc886c |
989 |
112 |
Creation In User Word Startup Folder |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f441bf0f20310d2f8fb4c38b047725cf9bafb59c2a7634f73d2d38745157b248 |
980 |
59 |
Read Contents From Stdin Via Cmd.EXE |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0db9fba426142aca003830de31e38a7318ed0a3a299852f6bc4cbe8bc905515f |
963 |
79 |
DUNIHI Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7c58e06f9c4bfbbca18106234f802a2f21fcd03ca11bcc0d10c040d1e451d4b1 |
956 |
3 |
Potential Recon Activity Via Nltest.EXE |
Craig Young, oscd.community, Georg Lauenstein |
Sigma Integrated Rule Set (GitHub) |
1419b2c28c143f7062ef95f941065d5327c65890cab58ade41efd168132d8b3b |
928 |
152 |
A Member Was Added to a Security-Enabled Global Group |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
ba8140e5173f7647dc01d2d1aae82bf84283f52c7aece9e9a61f7f5e75ffe53a |
926 |
47 |
New Kernel Driver Via SC.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b1f54a781e9cc27de125f11b56abc94639629aaf0f1fdf9072886fde50266b7e |
911 |
405 |
Powershell download and execute file |
Joe Security |
Joe Security Rule Set (GitHub) |
1fd2d09eff791a970cc2ad6da0820134ef9d52d4341ab32028edd04e8dd158bd |
906 |
23 |
Windows Share Mount Via Net.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9816ac44605bf8e1595ecff4424e6d78357aaa8449a03737687a18866b736909 |
898 |
362 |
Suspicious Manipulation Of Default Accounts Via Net.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4932dce91cb1fcd2986acdfc28c116d5bd4899b8052649b068effd4022c81f8a |
897 |
107 |
Mimikatz Use |
Florian Roth (rule), David ANDRE (additional keywords) |
Sigma Integrated Rule Set (GitHub) |
62e99f238afed27b43182594e90243db3ec17324c819a349f12ed55c015e5a71 |
891 |
0 |
HH.EXE Network Connections |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4630d11b74b3a0ee68be5cd7788cbf0adc046f1248a513c2971cf8dd4a03835b |
866 |
782 |
Suspicious Userinit Child Process |
Florian Roth (rule), Samir Bousseaden (idea) |
Sigma Integrated Rule Set (GitHub) |
1170a97b19098b92c7fea421765b81d0cea10e0140d9fed3c4d0769718c4b248 |
857 |
1 |
Valak Behavior (Sysmon and Cmdline) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7703b5b01adde91ddc9f6ec5a2ba30dd35be11277cad519ecdf5442a8358319f |
857 |
99 |
PUA - Process Hacker Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9a58c7a82520f7b9dc792cd56e2fce86b3157b6cef6fb23101ba29111c5e4733 |
852 |
37 |
SideWinder Ransomware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1f154d23ec03058edb48ed3380f862daca50719af728e0660a5dc14a5ab5b867 |
844 |
52 |
CMSTP Execution |
Nik Seetharaman |
SOC Prime Threat Detection Marketplace |
7577d4e0fc2ced5cc24f093d5dca8c02dd117651e5112bee21b6526b7fa34075 |
828 |
46 |
Bladabindi backdoor |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
21b5ec718fa5dffa5785f1bdf68d0bab711e89bf6d4613aab3af0c7d0acdbd0a |
788 |
0 |
Potential Windows Defender Tampering Via Wmic.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3ba90b1c0830dec1dbbd2f42eb503552860963d25a6bbe081b92875c243be50d |
777 |
6 |
Disable Windows Firewall by Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2e9f34a4006a3d9169bfe02d2b846c4db28b03c5394e9216e6dac294db0644f8 |
758 |
3 |
Suspicious Extexport Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
942c07d4243aed525402c1e4e2f9880b477ba72abc7023c30c9c10737399e077 |
754 |
44 |
Domain Trust Discovery |
E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72 |
Sigma Integrated Rule Set (GitHub) |
e5bf067d8fc5f77622680e942156a44de63eda6026750ac80c29d0304dca435e |
752 |
0 |
Quasar |
Joe Security |
Joe Security Rule Set (GitHub) |
295f36b4fe50737f7d27a3862ea45297f78efdf77ab2decd501b4a852765ceaf |
750 |
10 |
CMSTP Execution Registry Event |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
ffeb4d256edb1234faf30da37a584025d92817eb5a21c5394c4c6d78e3922d95 |
744 |
19 |
DLL Sideloading by Microsoft Defender |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
3a9cafc6a4cdfee1d351b5145ef1b7d6a64e707b04945a9fa54298173b7eaa64 |
739 |
94 |
File Download Via Bitsadmin To An Uncommon Target Folder |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
26ba1712f407ff4fbcd023c45091ebd8daf92a2befec4d5f1969002f7eeead49 |
737 |
112 |
Modify Group Policy Settings |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dfec584345112d1012631493a8cdef4a2eb03ea5bd33d360363e24776a148a71 |
728 |
97 |
Suspicious comandline paramethers(shellcode in the command line) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
c6bf20aec5b9dd748265363c7d01846ca0a5fc666f1114770a8bb7f5e764e4e2 |
724 |
396 |
Potential Command Line Path Traversal Evasion Attempt |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2a64ca949e5ce433b70a21b4be0e71e5ad0cd2465395fd093410ce2d33177cdc |
722 |
148 |
Copy itself to suspicious location via type command |
Joe Security |
Joe Security Rule Set (GitHub) |
ca9a79f8e23430115778a41aa4671433713b393278e1a60331cbb991a0f30f82 |
720 |
56 |
Potential In-Memory Execution Using Reflection.Assembly |
frack113 |
Sigma Integrated Rule Set (GitHub) |
912f22774b3e6d5ee33f034551a616aae59ae320fe812cf9c2010432ca80df77 |
720 |
230 |
MZRevenge Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
aa09c929bbf92e934dc584324a80a81643f2c336dba38293142077f86bdde84b |
716 |
356 |
Suspicious Scan Loop Network |
frack113 |
Sigma Integrated Rule Set (GitHub) |
14d137deb681ad845cc2e1992b2e9cb3490ddb1372d62da747f4042d7e6b87b0 |
708 |
67 |
Potential Ryuk Ransomware Activity |
Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
38e5073851afbf6c39ea309703c229e83988c6d3548896a389e9ef8795917947 |
707 |
15 |
PUA - NSudo Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
813ebaa5c2ede1835703f1defdfeae762f95ae97f36a5ee2da94b4b2b0877e5a |
691 |
12 |
Potential Data Stealing Via Chromium Headless Debugging |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
894bc44621968b8ec9fc62b70f7ecf4d2f1e5bf6ff6c9e1c450929a2f2d8cc09 |
690 |
14 |
Suspicious Firewall Configuration Discovery Via Netsh.EXE |
frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' |
Sigma Integrated Rule Set (GitHub) |
25c7926ea5dfde7ab41cd4aeebfb89e01d4dcb8b7243522af4f643f690d857c7 |
688 |
154 |
Windows Internet Hosted WebDav Share Mount Via Net.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
958619e5eaecca1767a6c71701ed1838a9cbb62ccabbe7c6a9d8679a3fc0e0f8 |
688 |
279 |
Suspicious Query of MachineGUID |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5b823c33b4d7a619c0190d52bf60fd92f6768d9bff34fb85446b00ca141f030a |
675 |
361 |
Start of NT Virtual DOS Machine |
frack113 |
Sigma Integrated Rule Set (GitHub) |
705bee7ec50dc3b36f21deb0d2cb6e19b1a84d8142bae256797827d59ddcd242 |
651 |
71 |
WMI Remote Command Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c63cb58172dccb53cf9cd1dd7f6a65cc8843987d003bcbb7b0c1e7769c3821c4 |
637 |
178 |
MZRevenge Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c5132d9b7ddc56b36fc0095350bd8556ff7fc29c750387be3e0344beddf41f7b |
617 |
303 |
Steal Google chrome login data |
Joe Security |
Joe Security Rule Set (GitHub) |
acba408186cae97e9de5ad46ba35ffdf61f94f181c5287bfd9e76aa1e5293b1b |
609 |
0 |
DUNIHI Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f4f15f4329fad912838474d3d5eb2925ae7045b2046b5dcf92c7c16c189927b5 |
593 |
0 |
Nocturnal Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
08655a77d7ea003dba35be4775284dd12a24f9469c9e93ad2d085afe3f4e91d8 |
589 |
5 |
File Download Via Bitsadmin To A Suspicious Target Folder |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a88a5cca5a8f8c7db551190230651c821a8acb62ba7f1da53866381af9c5263d |
587 |
312 |
Indirect Command Exectuion via Forfiles |
Tim Rauch (rule), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
21c4db1b5b4f502860c9d961662f1f7daa62cf3e4c4c9712977dae1ad368a19e |
584 |
7 |
Session Manager Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
9acd91066b664aa3f4181a28555facbc432bae9a4c8502aa92ceae1de1f31753 |
579 |
287 |
Renamed NetSupport RAT Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fede1c0268e88b6a7ec369e9c62c124a24ab5c7f9adc969af706be5000e0e8c1 |
570 |
108 |
Regsvr32 Network Activity |
Dmitriy Lifanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
047ea96432123c5b2a32816291dc196702b51bd9d49adb2c1673b59dd0018a0c |
567 |
146 |
DLL Search Order Hijackig Via Additional Space in Path |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
eec4fdc586db73cdad5bc34b172ecb132a75f4607c84cdeef26a811db01918fd |
566 |
7 |
Python Inline Command Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4eb25eff0b4d84652480301d5845b79be20cecc54ff18737ad9fde16370bcb4a |
558 |
406 |
Detected Windows Software Discovery - PowerShell |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2f2546b453b2e10b60c4d6b1345bc05c2dc99e42daef2e236a11005d772937ad |
536 |
90 |
Remote File Download using GfxDownloadWrapper.exe |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
16dd4d7c651cd862752fb483a4e7898c821603b1739b7aecb11298a6e931189e |
534 |
534 |
Bitsadmin Download |
Michael Haag, FPT.EagleEye |
Sigma Integrated Rule Set (GitHub) |
aca8c04f52d20c1f8ac7c5fda7686124759166ab9439145354e331faaf792bb9 |
532 |
121 |
Suspicious Task Added by Bitsadmin |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1bd7a375097c5f1afa59522776e79bf741057e59bdf9df33985fe7db095c655c |
528 |
127 |
Tasks Folder Evasion |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
ab8ea26663a3935bd7f1783455f465a74c106836d5a68c19a61dec68dd2596c0 |
526 |
1 |
Potential Browser Data Stealing |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7f302700c67727730ec082001e9f6840f366aca520673a11d09dd130bfc31429 |
524 |
54 |
Potentially Suspicious Child Process Of Regsvr32 |
elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7d605643d3d8c564d51574a154eb77dd6009d4c2a39133d7fe93089f5764286b |
523 |
0 |
Renamed Plink Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0b74fe58c124fa3f0817cadd3efb94d64ded5662336971846facb96d8b01e56a |
522 |
136 |
PipeMon malware detection (Winnti Group) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7f7471486789b0240cf2b95271088889269baee8e3fb42b0cdb6d71d7d37588d |
518 |
376 |
Powershell adding suspicious path to exclusion list |
Joe Security |
Joe Security Rule Set (GitHub) |
d933fed60e38128e7e3586361ae42b885a5285e04ab14da997282550a77a9059 |
508 |
19 |
System Scripts Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
e508e0cd0078f2c99fa9a87448bebda5652165ba069b1c9c4a89ecc4a2b385ca |
505 |
0 |
Spora Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4dce473be53cdc44d945acff82c6e5ef53b3304748f9aebc8d4f586230520785 |
497 |
129 |
Weak or Abused Passwords In CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
505504b564af2ed8ba77826b758a9eb5bda1701b18ffd11a5266b48d417692fe |
494 |
150 |
LimeRAT |
Joe Security |
Joe Security Rule Set (GitHub) |
667c9dcf6079fd28997e3e2b10b629c8ddbbd7bdffee1889aef6476277791e13 |
488 |
5 |
CMSTP Execution |
Nik Seetharaman |
SOC Prime Threat Detection Marketplace |
7d8b8c88008f45dc07b07590cdf039437686d441d35e7204ba91a632ebc9439c |
482 |
42 |
Malicious PowerShell Commandlets - ProcessCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6109e5a50653d03dbabfcf3bdf71fa77c6e2430050d589990fe4869424a68d5f |
479 |
98 |
Potential Startup Shortcut Persistence Via PowerShell.EXE |
Christopher Peacock '@securepeacock', SCYTHE |
Sigma Integrated Rule Set (GitHub) |
537a092527e25f9e54a3ddb6667c0303fbda5891d2f933ec0fc62bd4a5572cb4 |
471 |
49 |
Suspicious Msiexec Quiet Install From Remote Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
62641a1f33f67c78cb5f920f86788ab9e084dd90a20f1bbe56bd0de87f85b129 |
471 |
133 |
Use of Squirrel.exe |
Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a7aba66fc56c50a87fc053cf4dbd37af1845fac642e98272db5c4d804dc66de5 |
468 |
273 |
Potential Persistence Via Notepad++ Plugins |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1492d5fa8f02d4d7ce8b5c279841da26a3dae0da5562729690d1875944341bc0 |
461 |
152 |
UAC Bypass Using PkgMgr and DISM |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
5b0ad2dce2b0a9bde121d5016b3379c08f507ccce3f43e43a65fe518a16ba50c |
460 |
26 |
CMSTP Execution |
Nik Seetharaman |
SOC Prime Threat Detection Marketplace |
58d4fbfb0b53744348e77deba3d12df957601d7b27fda30abc676523e9634cda |
451 |
11 |
Cmd.EXE Missing Space Characters Execution Anomaly |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4bb625c721776edc38f264e032f4677eecbdd60e011a95fa267baee02fc262c4 |
450 |
39 |
Suspicious exeplorer.exe execution |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
2f0a10e6befc35eb8cf3d8af89b1db1a84a53b5aff114a90c2d1b0a3a697d1ac |
445 |
29 |
PUA - AdvancedRun Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1acf8a5bd4b9da5f502c337d49e41685a8b09ec964d979cda876f038871b43fa |
444 |
17 |
HackTool - Rubeus Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
74f9a93f96bad4ba440f105a789ab5905ef284191baa105737e7ac861d13bd44 |
441 |
0 |
Shells Spawned by Java |
Andreas Hunkeler (@Karneades), Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
0eced37f0ea111b4f9b0de81cecda56610adc30fad4061274a488187f71b395d |
441 |
67 |
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bf0f7d2a84916abcc597e4a38a6231519b38af0223147ef15e28c7ab83f47c7d |
435 |
119 |
Operator Bloopers Cobalt Strike Commands |
_pete_0, TheDFIRReport |
Sigma Integrated Rule Set (GitHub) |
fc1c644d943e763e67a7951dbec3c33d1e4710aed85f336a114eac8b43c735f5 |
433 |
13 |
Copy file to startup via Powershell |
Joe Security |
Joe Security Rule Set (GitHub) |
f81996947f17d7a0b11829404a9a1b42e1041d6d013b0021dda3bbbb35dfa106 |
432 |
1 |
Rundll32 Without Parameters |
Bartlomiej Czyz, Relativity |
Sigma Integrated Rule Set (GitHub) |
de72fd0fbb1418b8eddde8492f15f221fc84e0ca0d3ca576ccd0ff897fb98037 |
424 |
1 |
Run temp file via regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
c70694dd88c0a5a32ad8a52ef4ad97a6525c281308ba84e791661580aab19264 |
423 |
86 |
Windows Screen Capture with CopyFromScreen |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f8a626af728b3adf32c5a523da76b149e1f41d45e55c4f3b2cb7895c3920b449 |
422 |
39 |
Disable Internal Tools or Feature in Registry |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
86c36bfac526414900d3b4c6f66d0b7bb2cf11a511b7ad65c486685dc8d4d05f |
419 |
10 |
Automated Collection Command PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
beee5a67cef9cbdfd4d0e1db0dc60dff160df233b0948d9988a2ca819a41727c |
412 |
68 |
Suspicious Download From File-Sharing Website Via Bitsadmin |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
54145fc7feb54b73cba1cc24c4cd84fd7f99ba4e75cc334003bc39785217bc30 |
400 |
77 |
Tor Client or Tor Browser Use |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5e1ab62fc9383aad72ce1011e101e15342e386adc35483e383f335b0e5904f84 |
400 |
20 |
Malicious Nishang PowerShell Commandlets |
Alec Costello |
Sigma Integrated Rule Set (GitHub) |
b80c35f99523537c476487e505edb0c210eea308fa18707fdcd5aa54d136e3ce |
397 |
32 |
Lazarus Activity |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
735c9c8d6f2afa0f395d670a4d21f211de96cbab610a1a63b20bcc981d975f0f |
393 |
1 |
PUA - AdvancedRun Suspicious Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
75719e469ef20b32e309a7f6531a0e2548349e059e4c4d943740490e0dd8f526 |
387 |
0 |
Malicious PowerShell Commandlets |
Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update) |
Sigma Integrated Rule Set (GitHub) |
bbb841b3f1cb3bdb122737ca0755cb93d982ecca4651de2822af469b59071f87 |
385 |
53 |
PowerShell Deleted Mounted Share |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
7d4fc33c33fc31d17a2c9ee04cb6e1114c58cbeec3fa2b7cd4f5502b2d28d6ba |
382 |
135 |
Set autostart key via New-ItemProperty Cmdlet |
Joe Security |
Joe Security Rule Set (GitHub) |
20d65fc22a4ca2deedfc3a40bcfd0522766c18fa1ebd190b9d8fd068ee94ec0b |
378 |
10 |
Enumeration for 3rd Party Creds From CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9459f67b1253cc08abbddb96a073b963a102b013d6fb679d6a0273540ad7b19f |
375 |
29 |
Potential PowerShell Obfuscation Using Alias Cmdlets |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e |
373 |
188 |
Powershell Exfiltration Over SMTP |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b09b9f74febb3e25b3de69614b6193a2740c00fe9e7ccf5e62f503de56c5c1bf |
371 |
132 |
Rhadamanthys Stealer Module Launch Via Rundll32.EXE |
TropChaud |
Sigma Integrated Rule Set (GitHub) |
de0e634fa9106c661586ec7674b77259237dd3f5bd92358ce52a278d05072e99 |
367 |
2 |
File With Suspicious Extension Downloaded Via Bitsadmin |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6650c06d796cadbfac3560efcd86cb681d552bf6cb9c4d1fa9b6c82b556ae087 |
366 |
87 |
Suspicious Scheduled Task Creation Involving Temp Folder |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
c81c0126a6006ad9dbec7215030642dac0a918f133b33aa4c077f9676d84cd58 |
365 |
0 |
Use of CLIP |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d1138c20627ece208ac948647342866415641b06510830449eb2bf7d2f32e4af |
361 |
31 |
Suspicious Epmap Connection |
frack113, Tim Shelton (fps) |
Sigma Integrated Rule Set (GitHub) |
f7111a6bcb3ca53bd2233e4c87e194a56653dc72a81d92c78e707b7348c4f241 |
342 |
8 |
Suspicious FromBase64String Usage On Gzip Archive - Process Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7ba93fc93efb5d8901f3061f6c7f586575a9b70f53e7c4e4241975131258aac9 |
342 |
0 |
Suspicious Rundll32 Execution With Image Extension |
Hieu Tran |
Sigma Integrated Rule Set (GitHub) |
9103c9abde5b20f2b8e59ee53ea823a7c4e9d171c3f07a383b2ee7c0b3f792f6 |
341 |
140 |
ScreenConnect Remote Access |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
29112c1d912aafdd95b322ff1127f1fde6560b1d2e3dc1484d11d9d222af7435 |
339 |
10 |
Schedule script from internet via mshta |
Joe Security |
Joe Security Rule Set (GitHub) |
a3c2a24a999f3a9870f6ace27e73e7bdf30d18dcf0bc4873bfe196f5bec81ad4 |
330 |
2 |
Suspicious Whoami.EXE Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
accf31ff0e1e1b6219d9c964b9ca9832458e71ee32cac96d64cb26de422128f2 |
326 |
67 |
Potential Persistence Via Shim Database Modification |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8c893b41c5a28ef36c6b16d709f057af26436898776837e685d30b93672c2de1 |
323 |
103 |
Remcos |
Joe Security |
Joe Security Rule Set (GitHub) |
b50b6d86173debc4d608b981e7d6b5136092c515286d20c0eafcce3b7c411dde |
321 |
0 |
credwiz.exe DLL side loading |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
d83f2abd95409ecc8fb4d4930072a48b4a677def3d31b022a95e99d5873fc27a |
321 |
34 |
Register DLL with spoofed extension |
Joe Security |
Joe Security Rule Set (GitHub) |
ff70195d476ffa7a3d8e0b1503ffeca1e8707431b00403dfa695732599b571f5 |
314 |
203 |
Disable Windows Event Logging Via Registry |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7496876fb48565b8278bf669ff38b2846b842f9f663b755f72c105f928ae76c6 |
311 |
70 |
Renamed Mavinject.EXE Execution |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
7e9ffe282ed5cf9a47857b911d7d92611b0af4f61bfe1bf89131f57080e0100c |
308 |
31 |
Extracting Information with PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4e243e6a618f306cfd754df3b30132c4fa518c4ad26b6d755244064cd3110b0f |
305 |
157 |
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4f19758bce122aae71a356110cf88e95df101e099a2b95e2472e44201244475d |
302 |
17 |
Suspicious Chromium Browser Instance Executed With Custom Extensions |
Aedan Russell, frack113, X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5511a10e5fd658ddc15e8b7fa4c8cc7cd60289f6e54d703f50a9f3a8134ab796 |
289 |
6 |
Powershell Install a DLL in System Directory |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
51fc69e23d6cd3acb20d821dbe95596fb6d8cc314866c51a6a23033b83818ee8 |
282 |
68 |
Use of Wfc.exe |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
828fcf5b0d289ec191b7e622d323a6e6def6af24a2d4aa575f7f8543ffd3de0e |
282 |
33 |
Office Template Creation |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b52847695c6477e59d07e791f5afc7389180b1087054b513284bdbadfe15f22c |
278 |
59 |
Powershell Token Obfuscation - Process Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
6dd3abd7ee97d24f91e01e6fe236e6d2b8b12c2943ed9bb875e5613bf3deb8d6 |
277 |
15 |
Potential Tampering With RDP Related Registry Keys Via Reg.EXE |
pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport |
Sigma Integrated Rule Set (GitHub) |
e56cee5542b4c0d63057ea40087d4adf80e75c85d61d4c444e7b3f9b64a62cd5 |
270 |
77 |
UAC Bypass via Event Viewer |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
d37f057d76500ae8527178a9ea367395f2bde798f1cd048621be74f915b28aa7 |
270 |
0 |
Check external IP via Powershell |
Joe Security |
Joe Security Rule Set (GitHub) |
4b3ac3a4fac3672c92791075c26f1e10555eb3385628b923bccd8cbbd5dc83a1 |
269 |
33 |
Renamed CreateDump Utility Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ed9dd3a8bde9d3f74318eae5a66dc75d50f12cb32fd6854fb7289d91507b60c9 |
268 |
217 |
Outgoing Logon with New Credentials |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
55191fe8fd6505fe4952b024afcf9016670b4fade05502947a91ca4d3558d59d |
264 |
39 |
Shedule hidden powershell script |
Joe Security |
Joe Security Rule Set (GitHub) |
9277300d8dfe7cfc29e41129553c4d7c59c4b709d4b1716c8fe9cc037c9bc29d |
261 |
8 |
MSBuild connects to smtp port |
Joe Security |
Joe Security Rule Set (GitHub) |
86905c36f5c4e855311f702723eec0c6a4dc9e9992fcec9b2ddcce685b7c2e09 |
259 |
0 |
AMSI Bypass Pattern Assembly GetType |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0a84db82d1740ebcf2c704e4d71ef3e033441b714135baf3b4025983a8c4e14a |
251 |
1 |
Potential Suspicious Activity Using SeCEdit |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
49aac70aa91f01a7539b5678a4fd244f32b078c30cec03a7ca460298d59a2a43 |
251 |
138 |
PUA - Advanced IP Scanner Execution |
Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
eba28e9e2b6ff9e170e3534ea8b1e863757d5c976a9a84e4bbf5bd6ffeea5325 |
248 |
131 |
Use of UltraViewer Remote Access Software |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e5a4bf7a1c38d3917af9af6ae6ee7c2038a1ad6450721694cc741d2410b05834 |
247 |
73 |
Execute Invoke-command on Remote Host |
frack113 |
Sigma Integrated Rule Set (GitHub) |
61dae8b0a35fc9369e410406f226b559d6c9cb12837347724e7c4f9281869910 |
244 |
66 |
Outbound Network Connection To Public IP Via Winlogon |
Christopher Peacock @securepeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
030a43138df8f268a688b4d336377f9ae24dca9828eec55a36d20824b6201ae9 |
244 |
0 |
Malicious PowerView PowerShell Commandlets |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
c9a0fa3e3f43c8762528ddcca56a26673a3f37eb9077f2657884e8b847fb9ba8 |
238 |
91 |
HackTool - winPEAS Execution |
Georg Lauenstein (sure[secure]) |
Sigma Integrated Rule Set (GitHub) |
bdf9a7887267777773c9949f494e9799efef1be392343e309b16334f10b7bd66 |
236 |
36 |
Suspicious Add User to Remote Desktop Users Group |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
04ed3e23df49b07ebec11f2374d1ccce40bc71d867b1f8e29ea40b1b9e878ac3 |
236 |
29 |
Office product drops script at suspicious location |
Joe Security |
Joe Security Rule Set (GitHub) |
67124e7349285a993dc331738db576ef56c6cb9724bf1cea7695561498a0fb35 |
234 |
32 |
Potential Persistence Via Powershell Search Order Hijacking - Task |
pH-T (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
262548bdd551b5516ac8ba4e7c13b94c1164ea5766dc08877e95dcb2930be717 |
233 |
28 |
Potential Powershell ReverseShell Connection |
FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1b46ecd9aa9660208e7f7cbb3e4ad79d7fc469adb5c2c5dc81af712ebce9b80c |
229 |
5 |
Execution of Powershell Script in Public Folder |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2a39a26b108b99d76b325cabad67ed0b401f56104a863ba5158e0d3b889adc0d |
228 |
41 |
PowerShell Get-Clipboard Cmdlet Via CLI |
Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
405f59430cd2ef58f1b3387a7fc5708e7dd6da1082e96fe6cb359c46daa4e056 |
226 |
45 |
Connection Initiated Via Certutil.EXE |
frack113, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
80b6e3dc8d08ed8e3d4ef52e59af689b5f0215b08d92b3fce2310539c37b6b31 |
221 |
24 |
WMIC Remote Command Execution |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a72068f1e78b9563b352425ce5dd77aeaebcabfd4790a51a78cfd11d07e016a8 |
220 |
61 |
Suspicious WERMGR Process Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
656aa4cd1d10955cd1240f1e010961aaeabc323850ef28dcdecc9f334ffabd54 |
216 |
2 |
Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
c654002dc2859e8a2f74ec87ad6ff4deaaf0f42f99603aa964e30ed1b1f01cc1 |
214 |
3 |
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE |
jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
396c0639fa0d38dbd62b1c1baa0fae0b008178fb81dfebaf1cc70a858c610190 |
214 |
86 |
Suspicious Mount-DiskImage |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8aa937de88282ab672836441edf50f760451a9112887ad0867753ab1b9fc5a4f |
213 |
82 |
PowerShell Get Clipboard |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
524490479b353ff8d877b617014d2cbb9a65d782e87caae21e923760fd2ed255 |
212 |
12 |
Uninstall Sysinternals Sysmon |
frack113 |
Sigma Integrated Rule Set (GitHub) |
422a2d0c4ea81e0f14306603309b37fedea591abe396235a46638eedb3aa069a |
212 |
2 |
New BITS Job Created Via PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cfec5ce24be18b8a5b6ee565ce5bb62f0aa614ff0754094a9cb6d113b97decbe |
210 |
32 |
Suspicious Get Local Groups Information - PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5ef6bc365a01e6ef90c1fc4f49006e9a8fe08e82c0a9ce80c10153915771547b |
209 |
63 |
Suspicious PowerShell IEX Execution Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9cede5a1c6382a5e4dd57d439fbcb57f927088bb5c3e1d4019c03562c3b4f9e5 |
207 |
8 |
Schedule binary from dotnet directory |
Joe Security |
Joe Security Rule Set (GitHub) |
3c44dc412b67786cb131e2f723dbcfd035125eb3c04b66bc8baf4a7efe0ac581 |
204 |
0 |
Password Provided In Command Line Of Net.exe |
Tim Shelton (HAWK.IO) |
Sigma Integrated Rule Set (GitHub) |
356834a41f1b8ed94c954435f27d64f970ba67b17ac5474ddb8357cfbb8de8d8 |
200 |
125 |
Glupteba malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f75c71f7be8a63670e0c606b582900d5a921916b46408da383beb0786cb5588f |
198 |
0 |
Powershell Sensitive File Discovery |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a4c59bdaf575107ce23b3c6e62c772eece15e1f61e51a236e70e3b95c48bf0a8 |
197 |
83 |
Suspicious FromBase64String Usage On Gzip Archive - Ps Script |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4c7e768ac31ad9f19aa32c2c10eb81eb9b6ae9d00129f474125bbfa6e8cf42ae |
194 |
6 |
Register Jar In Run Key |
Joe Security |
Joe Security Rule Set (GitHub) |
a251b526d9024ed7f489fe7b9c2182080e067f2d35068063c5fd326283d9b1ba |
191 |
0 |
TAINTEDSCRIBE - North Korean Trojan (Hidden Cobra) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
97f6a22231c4c8e243c104bf226d8fd3875f335f00fc724750e6b691770fbc5a |
190 |
115 |
Suspicious Shells Spawned by Java |
Andreas Hunkeler (@Karneades), Florian Roth |
Sigma Integrated Rule Set (GitHub) |
0119b24f133d3f3142f84b35c30b7b1c417c4418f4d18098200208947ac5d041 |
188 |
46 |
Suspicious Connection to Remote Account |
frack113 |
Sigma Integrated Rule Set (GitHub) |
71f9611fe50b2788a25e6b1c3fb3d035c5e04dfe73447ed185bfde157084fc72 |
184 |
59 |
Suspicious Start-Process PassThru |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ce0c4f663ae2b2d04af92c5309f25b12035419b2fc2b6b9c161ab8c7830e3e52 |
180 |
53 |
Suspicious Schtasks Execution AppData Folder |
pH-T (Nextron Systems), Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
a09b70879bee26f128e93430015539e1b08567dd211bd7411ff6e600ed8d5f6b |
179 |
29 |
Windows Hotfix Updates Reconnaissance Via Wmic.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
392fcdac1175baa32b5f9e8899fc0dcd24fb0c6c9390adfd646bd983451e2810 |
178 |
60 |
Netsh Allow Group Policy on Microsoft Defender Firewall |
frack113 |
Sigma Integrated Rule Set (GitHub) |
631a83ba9daa9bb7ff02be55784068db1eeaa6935ea10809a1b8a8cf4ce2abd3 |
176 |
36 |
Socelars Malware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
3b19facf348c1fe8db660733298928cb749e5dafe84ca3025f86b31129352e51 |
176 |
0 |
New Root or CA or AuthRoot Certificate to Store |
frack113 |
Sigma Integrated Rule Set (GitHub) |
924e45f65b58d749e29df4b23b32058847bb1b15673ee93b0f9a0fc94359b19b |
172 |
50 |
Remote Access Tool - RURAT Execution From Unusual Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afdd67de130ff9c5fd2b18ca53480574ad0613d99edb23555df03caaf3cd774b |
169 |
4 |
Suspicious Reg Add Open Command |
frack113 |
Sigma Integrated Rule Set (GitHub) |
81f2a11aeadd681c5a2bbef5acdebbc356da424e56854a985e3c7eb0aded2fba |
169 |
24 |
Modify Group Policy Settings - ScriptBlockLogging |
frack113 |
Sigma Integrated Rule Set (GitHub) |
312aebbf9dd01274971762d360bf4d4870a7b7138c7cc149d33a9ba8df72b293 |
167 |
134 |
Change User Agents with WebRequest |
frack113 |
Sigma Integrated Rule Set (GitHub) |
024c79f380ec5ead6ad1ccc07deb79a5a281021a443831220b62f700f9cfe3d5 |
163 |
32 |
Equation Editor Network Connection |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0418449ae011d99278f952cf0feb26a91074c66d4f9fd7f162f91ae71262c40e |
163 |
0 |
Procdump Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c3f48ada664e96b916cbb2ed88c7f622ced143f3f9e2c039bd4516f81e1c1e4a |
163 |
46 |
Wake-On-Lan |
Joe Security |
Joe Security Rule Set (GitHub) |
7695d2af7ecb7540baa69cd6442745f2c3bdd83d21c904b7a09b2d560c123439 |
161 |
1 |
Brontok Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
cc37d2c965977a035bf3e0e5adc5d1ad561e00eeecc80cde19feb01566a5fa61 |
160 |
0 |
Custom File Open Handler Executes PowerShell |
CD_R0M_ |
Sigma Integrated Rule Set (GitHub) |
e441ec55e6c79f736b37301c124beac89f633c990d45a175da5e134af80e91c6 |
160 |
7 |
PowerShell Script Dropped Via PowerShell.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7cf0b126730658e7c96da1ae0b63c1bb84154a239ca32c09909963038dfdcacf |
159 |
47 |
Spora Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8a1a4505f9c0ee688392c73f69566ea35c3597f51241af4cb0ddb23057c95474 |
158 |
54 |
Suspicious Binary Writes Via AnyDesk |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e63c082925104de00901f48dacf129e0a824bbe55c24ed90ba31d4e82c44f216 |
156 |
3 |
Base64 MZ Header In CommandLine |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
754e38d8c28a41c5d8fab94446819cba31374961a938b11c2766647ee5dda64c |
152 |
20 |
Suspicious Sysmon as Execution Parent |
Florian Roth (Nextron Systems), Tim Shelton (fp werfault) |
Sigma Integrated Rule Set (GitHub) |
d76c7bc40bb395a6c2bc04fb2518aafb5044409e7d084eab35a00d6514635261 |
152 |
4 |
Potentially Suspicious GoogleUpdate Child Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
09412b30e562e2ce76bfde7b363c711eb8d82f225e5c33b969989c68181d63c4 |
151 |
18 |
Suspicious Scheduled Task Name As GUID |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ef39cf85c48f12af91e233355369755a0620b84ae2ffacce7f740a2b429531d1 |
149 |
1 |
Use of Remote.exe |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
598030e3b99748bb98e1a8c78a24023b80499c1526fd7b7719b5265a781b5402 |
149 |
51 |
Powershell LocalAccount Manipulation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b3caa02d87fceb141c3eb2e3715d1290976d6fdb56070c03362cd1fb6808f95d |
148 |
47 |
Service Security Descriptor Tampering Via Sc.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
79b65bcfec60a228ced8c00aa4b8ff786ce017482ff46446e002fd9ea7bdbd00 |
146 |
98 |
Suspicious Obfuscated PowerShell Code |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d8233999a8d30f6ee903ed094bc3c6fe4008a4be43a580311a9d379867e54538 |
146 |
0 |
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b2414a4d8972516423f6b63d79b5aaffd883551d5c9ee63294d6395da8f6a88b |
145 |
97 |
Potential Persistence Via Microsoft Compatibility Appraiser |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
9fc475ae448749ce7b6c7760c27eaa960cebb3e61dd32ccdd1ffa55dc831eff2 |
145 |
92 |
Execution Of Non-Existing File |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d2b7b95657238f7c078b9a6a17689a6184c1cf349ffb183b174ad2bd84681b08 |
144 |
3 |
Suspicious Parent Double Extension File Execution |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
00b61d3ad8d5b276f712ce687ea306dc5b640516a51e65fd05ec277c5b979611 |
144 |
6 |
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
624e5e799c1829ffc2199cdf5c7bc356cfb6da8137626ea544cdeaa8ee1d5c75 |
142 |
16 |
Possible Shim Database Persistence via sdbinst.exe |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
f228d8546016f76e5942e38208fa8a55735339d54ec3f56e63b2b9133b037a7c |
141 |
54 |
Detect Virtualbox Driver Installation OR Starting Of VMs |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
3cbde0faee76f7509cfde702c1c324a83ac88cb58f0e0f74b2682a9b60369b1e |
140 |
108 |
Change Winevt Event Access Permission Via Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cf2984facb3af2703a88c05e420505bdaad5887f51fbf32167a0bf5abfcc28bc |
139 |
20 |
Password Filter DLL Modification (Sysmon Behavior) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
cdcaebb2c5505eed7b1cf8cbaff3316fe62d1be1354a3d77d6e25bca67c753d6 |
139 |
76 |
WinDivert Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b7ad594d8528d4ee4c0201b1a0852d42e9fc45976e984ed534f502290031e73a |
139 |
24 |
Glupteba malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bdf42e1363c4a10d6bcc355bf1a7fd1cb54d15737372cbd542de0642fb26eb5b |
136 |
0 |
Active Directory Computers Enumeration with Get-AdComputer |
frack113 |
Sigma Integrated Rule Set (GitHub) |
37b6b961c7d630d66ed7dffc1fa2aae8811008a45bb73eadb3a78bd34a309c6b |
135 |
70 |
Registry Dump of SAM Creds and Secrets |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3e6aec9c264981c1c738cf2bb29a907f7fc01867b91cf31a6d4ba46d35129230 |
135 |
21 |
Renamed Remote Utilities RAT (RURAT) Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a7d9d6781e1b1a5c65f3603e5aa6e2da23879bb16ea543f313a3d39f5d7949a8 |
135 |
6 |
Run Whoami as SYSTEM |
Teymur Kheirkhabarov, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
6af189a96d12cb443ce812c507e6b5326d70cc43e4f8a8b179fd45d5acee44bd |
135 |
15 |
Suspicious Electron Application Child Processes |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2b1f50cff6a2e8639ee801986adca76402def027ff7616841139cbf2ab32e2f0 |
135 |
5 |
LSASS Process Memory Dump Files |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
532253e22b4c2a6410e693838434b30d959a9ebc0c04a0c861eeb9d593879009 |
134 |
5 |
Use Radmin Viewer Utility |
frack113 |
Sigma Integrated Rule Set (GitHub) |
656b04cfc858a6fe2bf9dd2c3fc9b7beef1f30399b5817f0ad3a3862463f3783 |
134 |
1 |
Potential Arbitrary Command Execution Using Msdt.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
96f35178aca93f73311713ffbcade7354646a1facaf7c2fce0201147d4b4b5c0 |
133 |
3 |
Suspicious Creation with Colorcpl |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4a29af926d08877fafd396f3d616bf6c90064503754db0460c36b7c0dd99dbbc |
133 |
0 |
Nltest.EXE Execution |
Arun Chauhan |
Sigma Integrated Rule Set (GitHub) |
03ddbba7f8c72cbe2e0de21552f7f8f8a101955c12556c2bdb06219c0c968836 |
132 |
106 |
PUA - Netcat Suspicious Execution |
frack113, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
358a95254318aa55ff499eb64277dff47957ac37c6370873673433bd55e77cf8 |
132 |
6 |
Process Monitor Driver Creation By Non-Sysinternals Binary |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b37461353268b5d8d8a4a0d3ec132773396606b1cc30106f1524817122d6ed5c |
132 |
2 |
Suspicious Office Token Search Via CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d914cc65d6c2c6363da71b09c2053c49031ad5dd7762f7e08df307adf0892f8f |
132 |
85 |
Clear PowerShell History - PowerShell |
Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
75df0b220ddaf477070a84227ba8e5430f5d4bbcfdfe1ad41ca6da62894c03ed |
131 |
48 |
PUA - Process Hacker Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b0d1bb8b34cc8998b5c64517d209194141fc1ade58d04a41bb18fd11be56edfc |
131 |
0 |
PUA - Nimgrab Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
91bdf8703cfbad287d4568a09b53790b20efdead5896d044bccf4d80efab7970 |
129 |
1 |
PowerShell Remote Session Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2edbd80b280a70f7636ca307800e2c61b25d829eca7c992125bf15782e91f688 |
129 |
77 |
Suspicious Download From Direct IP Via Bitsadmin |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
341222e0eba20f3fbf807a78669d6bd5ab3f6245589b85086cece2a9518283ca |
129 |
23 |
Service Started/Stopped Via Wmic.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2e3d78c5e41e6de41cac9e7f1872a39a27300e4078b7a403b7c6d4f0ca96daba |
127 |
37 |
Valak Behavior (Sysmon and Cmdline) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
95388dc52565d97f01bb478463530fac5eb3a7197bbf17fccbd415b4a10a7055 |
127 |
92 |
New Remote Desktop Connection Initiated Via Mstsc.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
257b13d5b7127756fd3872ae69c87afe430e3a8d7933cef87a19e05fc1658d70 |
126 |
38 |
Ramsay Malware Behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
9a24e548df204cab86a6489b32a696d4f00e8933893536c518bc73e457c7f3a0 |
125 |
26 |
Vulnerable GIGABYTE Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e55e3c4025c22c464d209815a3411299c407e870eab4c5aa9ef362b217babade |
125 |
3 |
Suspicious Extrac32 Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
22466d36eb86be8a2f88344d2ad8707352f79b184489f7bc14547bcc6c82b9c1 |
124 |
37 |
Vulnerable Dell BIOS Update Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
10577bdb5cec4b94b7c1d5ddcb04041555da105e51850313907d995a05c68dee |
124 |
79 |
Cmd Stream Redirection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5f96e6b063aba9535c425e87ec855e1751d2d80c4099135c5b165fdf5bdbc5dd |
123 |
24 |
Sysmon Configuration Error |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1cd7d30672aa97bf7ad987f1430427c4badcaf9359b200f28071d8b243834f07 |
123 |
8 |
Ryuk Ransomware Command Line Activity |
Vasiliy Burov |
Sigma Integrated Rule Set (GitHub) |
1a2c4b1ffc8f65b4edf9020cfc1b6203854d13592539752717c107cd6357489f |
122 |
7 |
IE Change Domain Zone |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1fd27acf648f3f73802533ae95c6e367de8eb32fe05e9d3b52913ec54401a5ca |
121 |
14 |
Pass the Hash Activity 2 |
Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) |
Sigma Integrated Rule Set (GitHub) |
1e58f3b3a12845dad6be8befe76f8a0368d994ad5b069e672ac85d329bf336ed |
120 |
1 |
Renamed Vmnat.exe Execution |
elhoim |
Sigma Integrated Rule Set (GitHub) |
a94bce44672eb0c1fb09c1cec60477d64a82eb540559b6577c4370d99fbb38ee |
120 |
2 |
Schtasks From Suspicious Folders |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afcc7387bfcf1a39c26eb91bc6b000368dba233e0d6405a1ed3dc8b8e436f18e |
120 |
62 |
Execute Scriptlet from internet Via Regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
1dfe86ef579952e7d83c7cab84e28986946f0660fc39224c8c471d29300a9885 |
119 |
0 |
HackTool - KrbRelayUp Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
914dd9cda73bd6f9573dbe9e9a1fdfc390464d03b96dd1d0ac163be4f300aff1 |
119 |
0 |
Suspicious Execution of Sc to Delete AV Services |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7f8a2779f372784da42ba3ea542708f81eb3d3784b03ec4d156d94dbf9190887 |
118 |
5 |
Suspicious Scripting in a WMI Consumer |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
aa9824d65395eec625b665851ca4456503a8111e058eab9487c34500b30ee31f |
118 |
0 |
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6b5efce8659d3a3b0a47725b973669cf5b071a5a685525042188d1670c7b2d82 |
117 |
9 |
PowerShell Hotfix Enumeration |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6715493a73f1ae31ce901cd48d6907aafa006d047fa07301d790319a8ff89813 |
117 |
36 |
PDQ Deploy Remote Adminstartion Tool Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d4455289124296f34e652e21b22099e2dbeb914261581fba842def35d85a6d92 |
116 |
108 |
Powershell Directory Enumeration |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7ce2e69836f6ffe690530adb579824031c46a1bee75e6f8dc9ec028fe59c5681 |
116 |
37 |
PsExec Service Execution |
Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6ce71be75a7090fc85bf7d41e3b363a7a4dce58549844db0c3e5d9d3b32a3e0e |
116 |
14 |
Suspicious GPO Discovery With Get-GPO |
frack113 |
Sigma Integrated Rule Set (GitHub) |
039172cd0dec626a7758aecf1db76255b8994bc61501f3a732abb90dc4e88560 |
116 |
38 |
Group Membership Reconnaissance Via Whoami.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4a8be8d477a2fbfadd8b27b53ce2a677c2b380814db4dedf6b47a8986fd6a69c |
115 |
35 |
Classes Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
acb1ec4240103205f334c8fe26431568a458950f7b86b59652440e1de4dc0449 |
113 |
38 |
Suspicious WebDav Client Execution |
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a2c6a7629f2d0d6b18c2ce3cddbee5522cbf1f3e6e8bcf0692c9e9393724ebaf |
113 |
5 |
Fsutil Suspicious Invocation |
Ecco, E.M. Anhaus, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4b8a086b898ff9eb51b0489b98e2619d0c9fe2cd94e29325ec8a4c2250220b8e |
111 |
23 |
PUA - Seatbelt Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c38f8f9eadbe19471d3a16edc3057b1660a29e4b74e90fb2ff929df10c440a40 |
108 |
0 |
Persistence Via TypedPaths - CommandLine |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3f78ff7ab6850cb34de03f0d9dd46de9ae0b96b1eeb140dcda89aabc2b7462a0 |
108 |
70 |
Compress Data and Lock With Password for Exfiltration With 7-ZIP |
frack113 |
Sigma Integrated Rule Set (GitHub) |
227d06b807fcca01531502ab9bf3471b44a2e7db88394d5d03f7e07a11adc2e3 |
107 |
38 |
Potential Recon Activity Using DriverQuery.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c887795f89a95940c21235ec7fff122040bc4c53b14e9a9ba700193f3a7db228 |
107 |
23 |
Remote PowerShell Session Host Process (WinRM) |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
9c155c1f00478f6dbc65e449bb4e1ee8d14ca444d40cbb52bd6406320ff20282 |
107 |
4 |
Suspicious File Download From File Sharing Domain Via Curl.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
09fa8f2c3e86f0fa6cc0876e94d77a20c07409a7154a61ef64a9a9a31a6d0049 |
107 |
22 |
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2291b42b147dc3089126be94f1bf34506fa822ea41904e0632fbe519dd3799a8 |
107 |
9 |
Disabled Windows Defender Eventlog |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d8e5c8a4902824901a6b91baa07694ac8ea9e13689cebd342572a8b546bad5bc |
106 |
2 |
Potential Suspicious Mofcomp Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
890b5bcddab8d41ea499e521d3dabfb62f66e175c7e5968407080b5c7a4f2aa8 |
106 |
64 |
Suspicious command execution |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
2493810bc5072dfb469437cfe4848e404b84ec5690670b79ab60bdf138d06139 |
106 |
0 |
Use of Pcalua For Execution |
Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
15a88fc8b846a774c398a2350aba9d8b4203f0cbb095abb4035f8f0e2c3ca2d5 |
105 |
3 |
Dism Remove Online Package |
frack113 |
Sigma Integrated Rule Set (GitHub) |
835544e76c588c424d064ff04c81b644c875fe6499d31ecb188d5e3e59f4e72d |
104 |
62 |
Suspicious Windows Update Agent Empty Cmdline |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bfc362a89797a5fb7c7a15aee27b5c62127fff278db59f8dad27390ea34e3e1b |
104 |
2 |
CreateMiniDump Hacktool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
8618cac2c2c1ec1d0e5b729eab2f28a1585a023728c5aaa9fa184b786b52a337 |
103 |
91 |
Kill multiple process |
Joe Security |
Joe Security Rule Set (GitHub) |
868e81758b31ab7d5c37adbd3798dbc1effacb9eeaad44e5f6c5f41c409fb786 |
103 |
0 |
Potential Privilege Escalation To LOCAL SYSTEM |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7e17cc0d521f2433baf3ca36bf22ec2946bb387a555fee75aff1c992849a2578 |
103 |
18 |
Suspicious Remote Logon with Explicit Credentials |
oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
3f8d6ccb4e7555cba08aa888810b970a1a0a1f79d2a65b51f323b466542ae099 |
103 |
22 |
Security Privileges Enumeration Via Whoami.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a9f6af870a74ed20bfbc784983dc7fa8aae28d336e2f79a8fa8b72c32d6a9fa0 |
102 |
35 |
Schedule REGSVR windows binary |
Joe Security |
Joe Security Rule Set (GitHub) |
c26e0207e75a84b37249afa14659448c57c0203d2220e8049b52775ab00538dc |
101 |
1 |
Local Groups Reconnaissance Via Wmic.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
386f2bc7492f0e981a3ff4d07a1e865250fb5f4de55f43a70e9ca3e91bd61e31 |
100 |
16 |
Modification Of Existing Services For Persistence |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
01b2124bf0e9019139ef617d15b67080610ffd3584d4fa0cf7c646bd3f11853b |
100 |
43 |
Saefko RAT (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e036021928c6159521691ec6551a2b2c660a651ff2c69171bb3db4fc676b2e17 |
99 |
0 |
Mavinject Inject DLL Into Running Process |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
22a0144a5fa16f342a409df0a0b3ea1292a72b8e43c7c844bf06d68f5330fbf4 |
98 |
12 |
Potential Invoke-Mimikatz PowerShell Script |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
eea4b79cda06d89aedf4a8bef48f151e04c00dcefd21c9b9c8dcb3d1457b226a |
98 |
3 |
RDP Hijacking. RDP port changed. |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
a917e763c89ea31922fe3dede8cc03c807a8b52f1a6f9eb0152291fea14c9416 |
98 |
9 |
SoreFang Malware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ef69867dec66e047e8894803bca76813e63b7a2f0d2bc6938e903f4accf5ae76 |
98 |
13 |
Suspicious New-PSDrive to Admin Share |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9b5bc7e38efe4f1b17f2a923ca4fbbd1303baf2899f224b7e40278aea60cfc64 |
97 |
30 |
Manipulation of User Computer or Group Security Principals Across AD |
frack113 |
Sigma Integrated Rule Set (GitHub) |
080f39fb13644d7055303fabf2a4ace323c7ca1c92ffe33c37a94ed397cecedd |
96 |
22 |
PUA - Fast Reverse Proxy (FRP) Execution |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
2efa94e8cb6d016973ddbda2ca94b9db0d935bf31c7d4ede736b02e9d8ed25aa |
96 |
1 |
Potential SocGholish Second Stage C2 DNS Query |
Dusty Miller |
Sigma Integrated Rule Set (GitHub) |
dc5cfaa0b6ff45a4864ee8be51bb9c91ef2f5d94c791e000efb78473258ad5ca |
95 |
34 |
Winlogon Helper DLL |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
071f1cce27ada52da178afa07fd609ed14967f9058b386611411962f4c56b665 |
95 |
36 |
Suspicious MSDT Parent Process |
Nextron Systems |
Sigma Integrated Rule Set (GitHub) |
22974e8b759cb4125a56f2d16e37f8fa3020d7ae087aad754afe46386ea694e0 |
94 |
60 |
CoViper Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c388ee7bf8678acd149ab04cc3dc6f3d923b3c2a7684f42de0c984c16de1c023 |
91 |
0 |
PUA - Advanced Port Scanner Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb482f5fd709d1ae001f190ee187e694e6ae6473e73b36e57e49b6908a1544c3 |
91 |
23 |
Created Files by Microsoft Sync Center |
elhoim |
Sigma Integrated Rule Set (GitHub) |
90e6abcfde9453786cbe5eb7bd26a659703b1abfdec9d9441778c362dd6be63c |
90 |
0 |
Ngrok Usage |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
c2e9abacba241e42d67c8d6ae1523533d3cb9769cf7315d401744e4266f91ffc |
89 |
2 |
Suspicious PowerShell Invocations - Generic - PowerShell Module |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3f1f1d4b840f1276832b328fab68511c28f6b7918e887279b03e6ea4735bef7d |
88 |
3 |
Wusa Extracting Cab Files |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb45aeb08550a3b51cede01e424c60a35987f3cba89d7a2e08d5783975154bda |
88 |
2 |
Registry Explorer Policy Modification |
frack113 |
Sigma Integrated Rule Set (GitHub) |
767b140d3dd4f5df18244f9d3f3a79b259843572bf19ec0cea5f646e1f350c6f |
87 |
0 |
Suspicious Invoke-WebRequest Execution With DirectIP |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fda985869abff56461050c96a2f19a215ac6e3636ad0bb952561118e7989a6f5 |
86 |
12 |
Schedule VBS From Appdata |
Joe Security |
Joe Security Rule Set (GitHub) |
b16d941c7cf2248881a4d3da266d63655713389cafe7f2606ceb2b73fbace067 |
85 |
27 |
Wusa Extracting Cab Files From Suspicious Paths |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a3bdc335aeefb2b18bcd061bd2c29809fd034b8ebaf07e3dc6c94af5ff27b7f6 |
85 |
1 |
Add SafeBoot Keys Via Reg Utility |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d0f01e5bb13e8ce7a78203105d6c6fd359d6150767bbbfa4de80faa61bbf2099 |
84 |
49 |
Root Certificate Installed - PowerShell |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
0226d2c44e3b81cd4d31e7a8e55f6a3e3835b44939f721d5527b610071ebf40b |
84 |
29 |
Suspicious Csi.exe Usage |
Konstantin Grishchenko, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d478344c6645595e8636745bd5f3fcc68955c4777726aba466ad93f133453add |
84 |
74 |
HackTool - SharpView Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
fcd75941371f1c365f40d29f8498522d49065fb5ad8dc28a97b979603a6333ba |
83 |
19 |
Powershell downloading file from url shortener site |
Joe Security |
Joe Security Rule Set (GitHub) |
f05d1fcd81ae053d34629eef4e2f082dd51622b2535713f47860649c3619d085 |
83 |
7 |
Suspicious Run Key from Download |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9bc88dec9bf37149ee55ca532e26602ba2ef11e86aa846ab6e0e461f12768b4c |
82 |
0 |
Powershell launch regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
59bdcb50161e15e215ceab8d779ba112cc633a8bde418fc87d450d05d5e78a78 |
81 |
3 |
Suspicious Workstation Locking via Rundll32 |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7077cb988db6f3b9dad54bcebad8cd59c0e62dd4b3f4f99d281d5e2b721c92bf |
81 |
36 |
Blackbyte Ransomware Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
afd6cd2469ae4639e99a5087deaf57ed3032b6c807da7fb2ff4ccb5eb58c3582 |
80 |
24 |
Clearing Windows Console History |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
30041403950554ea68cae8436931add62874ca499364d423bd04a8ccb124d999 |
80 |
27 |
Gpresult Display Group Policy Information |
frack113 |
Sigma Integrated Rule Set (GitHub) |
fdd0ef0378b9c7a67394fe97fcd782578201d6012af812d4f19483149704a866 |
79 |
31 |
Data Compressed - PowerShell |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1ea6262b9839c6f8aa32af503fb227a46a6f22b4778711e1a64f62b102e43a3e |
78 |
33 |
Stop Windows Service Via PowerShell Stop-Service |
Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ad906661229e2ccee26f0fa5a23b6e080c651463299081f5b7a9bdeaa0b4f857 |
78 |
49 |
Netcat The Powershell Version - PowerShell Module |
frack113 |
Sigma Integrated Rule Set (GitHub) |
53b2cd18791dffbcc1b31b49b26f0068d68f366bccb84e299cb79ddcccaf04ee |
77 |
14 |
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
af6fba732192700a3e6067cd1013a488ce707b800e7633a9a7aa67b66fd57ec2 |
76 |
18 |
HackTool - SafetyKatz Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e12ef0018b230868661eff7c8a74baf3f9a0ea5e0380b63b339c9218278f2057 |
73 |
0 |
PowerShell Credential Prompt |
John Lambert (idea), Florian Roth (rule) |
Sigma Integrated Rule Set (GitHub) |
3673ff480d9b6da69d58b49cdbd4653446b39552e94717447405039cbb476c09 |
73 |
58 |
Schedule CERTUTIL windows binary |
Joe Security |
Joe Security Rule Set (GitHub) |
5afe0a8f1f7fbc102dbeb6382c6e3e9702f05c872dee6c8309d805831b7dbbe2 |
73 |
0 |
Suspicious SSL Connection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
862ef09072518dbd7b5900500c4908a6284ee88f03b45ad0c0b20f3eb495f645 |
72 |
2 |
Potential DLL File Download Via PowerShell Invoke-WebRequest |
Florian Roth (Nextron Systems), Hieu Tran |
Sigma Integrated Rule Set (GitHub) |
abaf76ffe44f9fecc068eae92c53e3c5c4059258b40f40eafc69759c4661d667 |
71 |
21 |
UAC Bypass Tools Using ComputerDefaults |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
f0a2a0d6b300aa9b5100a3fcd8fda2e183d4c22f4c748ebf056b724965c77639 |
71 |
0 |
Lokibot Detection Rule |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
be942c1d0e5d410fdd49ca407572405db53d2cebec6927a56b86b1bf02d58983 |
70 |
0 |
PowerShell as a Service in Registry |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
edeb7efda75eef0c30275df1148d63a2707963d2d9735d444a56536df2161a9e |
70 |
1 |
PowerShell Create Local User |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
065b49beca5cc42953a5612a7a5342fd18266f128a46b1a788c3f358f775a191 |
69 |
13 |
UAC Bypass Using Consent and Comctl32 - Process |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
45716a61474d8af25ba7318e0bcc946490ebaf1a0ea6c9a73d6fa3d572e58ae6 |
69 |
0 |
Windows Firewall Profile Disabled |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
489692e72dc0017d68cdd2188f43e162f46de9955dce51c32323345919b76b0e |
69 |
15 |
PUA - Chisel Tunneling Tool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2d130c854a78ff4630994ab2107c3a8b18cc55785432c30b32d253f1c219289a |
68 |
0 |
Potentially Suspicious Regsvr32 HTTP IP Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bb39752a4e439774cfd5a035f61c530f6c75b6d694b088178e6c155f78f5563d |
68 |
0 |
Suspicious Microsoft OneNote Child Process |
Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
c2b8793bc5dc3f78c117608b17e59499e853d298dba8c03f56b4bbcd6d0c0f16 |
68 |
2 |
Suspicious Subsystem for Linux Bash Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dfbb51364e0deb6fd01f82a709f96be117d3f57ab06c8ac5718d944050856808 |
68 |
32 |
bitsadmin download and execute |
Joe Security |
Joe Security Rule Set (GitHub) |
613bbc724cd17594b42667a8a5c4df0dff074adfb53a590f30f86743bc9b5b47 |
66 |
9 |
Scheduled Task Executing Powershell Encoded Payload from Registry |
@Kostastsale, @TheDFIRReport, slightly modified by pH-T |
Sigma Integrated Rule Set (GitHub) |
5e1d76eef43af47ab79dcfbdbb15919232ca5646aef7cc201d8aa1191b2d67f4 |
65 |
0 |
DUNIHI Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4e8573bf949d0f277bff56a18b256181b950262693a43cfad1d247e035aec8b5 |
64 |
6 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
91a0bf780670902c97c569d46226158bdd49738004799b58cd63cc4c9d63ea55 |
64 |
3 |
Renamed Whoami Execution |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
f22be736aa7b4ddd0d6ce96e785fbb7adbcb991517763b72a098333df9610f14 |
63 |
2 |
Sysmon Configuration Modification |
frack113 |
Sigma Integrated Rule Set (GitHub) |
abdfcf563f91cb4c9b132baa9fd47b92a1e20294c09c02d7571f6fe5505f21d7 |
63 |
4 |
Fsutil Drive Enumeration |
Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' |
Sigma Integrated Rule Set (GitHub) |
29dde5587c090e85fff677c9d2643ac2deba99c10c07e68a2e71407af9991486 |
62 |
24 |
Active Directory Group Enumeration With Get-AdGroup |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2363089b66b3f43001c4d30a1a0d4a7a622db02c1b8f68a3aa3be7c674be645f |
61 |
34 |
NetNTLM Downgrade Attack |
Florian Roth, wagga |
Sigma Integrated Rule Set (GitHub) |
5bced7470eb37ada15efd448b0a87615727c93557e648e225c3ee894c4b0ff08 |
61 |
29 |
7Zip Compressing Dump Files |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2194ceadd602ef4103a4715be6673214407021d3ff227fc3c520c0b9f51d9008 |
60 |
14 |
Delete Shadow Copy Via Powershell |
Joe Security |
Joe Security Rule Set (GitHub) |
d91fb994dcf44dbdd52950e6db5cdf99eba912926494deb2f92f3f2dbf232740 |
60 |
0 |
Office product drops executable at suspicious location |
Joe Security |
Joe Security Rule Set (GitHub) |
e0e4a0d55b1462c34c5c59221f7b9ae4b1625aa019f157ee2d60b21d286df9b5 |
60 |
0 |
Powershell Local Email Collection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7a8c60222c9d0320cd13f6c3e00c4279e2961daa1560bebf35dfe8f0de4387a4 |
60 |
21 |
Suspicious Usage Of ShellExec_RunDLL |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
583f46a94081ca6e4e09e8191f1cc5fe8a0b11239ca27da18ef2ad12a48786b7 |
60 |
0 |
Cmstp Making Network Connection |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3ee0f25c3d0b70476bccad0e57a0351cf8822d966bb558a9a49836dccbc9fe41 |
59 |
0 |
Delete All Scheduled Tasks |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
828f57327c792b3d7689543c6e7d2a87b71f15589b3c45366d0486473f86b2c1 |
59 |
3 |
File Download with Headless Browser |
Sreeman, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
ab434fe480ee2a7a4567eef38af37753eb61b2fe82708db1056313a73ab0fac0 |
59 |
0 |
Nslookup PowerShell Download Cradle - ProcessCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4755ccbf487b7c6fdaea8383493917837a2c86ff682d94f0f57d6b09349e0ddc |
59 |
11 |
Powershell Timestomp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5b5656801277c44d48ce3c9f4c8c393d55f8c0943d2c641d4968a012bd160f38 |
59 |
12 |
Obfuscated IP Via CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f9580d1ddc8753d3db3625ce853e150314b148df4d5279a69d3781cc031996c9 |
58 |
3 |
Suspicious GetTypeFromCLSID ShellExecute |
frack113 |
Sigma Integrated Rule Set (GitHub) |
88dfd5a01f282c28ca7996397793be5f0d467366ce982def90143e1503ce84ad |
57 |
0 |
Suspicious UltraVNC Execution |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
a1005bb393ae9323ec95dc47f2348fea7262e1297f7d5c4e3c9b21b672fe467e |
57 |
6 |
Unusual Child Process of dns.exe |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
1a409a5e5fee95e8f39012c0517568143fbf3ceac2b7bf87e81ab5eb50d8a6f9 |
56 |
14 |
WMIC Unquoted Services Path Lookup - PowerShell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
420c9214a5aa1f50a2a85504e221b82931637956daecbfebfda630bb7c586f60 |
56 |
22 |
PUA - Rclone Execution |
Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group |
Sigma Integrated Rule Set (GitHub) |
d682d09d3c15912248f0f367d755338bbf871b25380f62525ba288c8bf90689e |
55 |
33 |
Potential File Overwrite Via Sysinternals SDelete |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c79aec25ed8a3cf07f3a43954d8dda5823dc140075f59c4e0cae1e5a3aee8072 |
55 |
9 |
Service StartupType Change Via PowerShell Set-Service |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a1369ba6b294845b80eaa8e066a683a25e6d2cd458f78a519a4aa7cea4b3fba1 |
55 |
45 |
Windows Defender Firewall Has Been Reset To Its Default Configuration |
frack113 |
Sigma Integrated Rule Set (GitHub) |
00b96bc8d00802244409c54614fa31f98fe83547c5c43f4fd78e891c16f792e2 |
55 |
5 |
File Created with System Process Name |
Sander Wiebing |
Sigma Integrated Rule Set (GitHub) |
e13498937de9343f50c1e8f315ce602aa238e37e21f3dbb15d3403c25afafe3e |
54 |
0 |
AADInternals PowerShell Cmdlets Execution - PsScript |
Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6d5567356ba0845cc4858843f110d6459b2d79576a5e0139dd7b2218b9f556e8 |
53 |
51 |
CrashControl CrashDump Disabled |
Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
de530c1426a408ae40cc5a51e752587348efab456b3dcc12204b8c47a389eb83 |
53 |
1 |
Execute dll with txt extension from temp location |
Joe Security |
Joe Security Rule Set (GitHub) |
d8d01ff318fd81c3e8579c3f1dbc420f408beb4b67bc9be1a4bbdc759dce812a |
52 |
2 |
LOLBAS wsl.exe (via cmdline) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
55bd30964b2c80cd229425cd10828e1b7c89462547581eb0c4a907c55c87f0a6 |
52 |
0 |
Powershell download payload from hardcoded c2 list |
Joe Security |
Joe Security Rule Set (GitHub) |
5c6454bb6fd16d176798dcb8685eabffc5295c27b7c2c471512f66343a885a24 |
52 |
7 |
Suspicious Hyper-V Cmdlets |
frack113 |
Sigma Integrated Rule Set (GitHub) |
62e075896842e5b2072a0b1610a9995667d1edd599e21657ffe829aa871cc56d |
52 |
38 |
Credential Acquisition via Registry Hive Dumping |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
ba431c90356b826afe0f0c811dab13c54cbe689123f1167962b6bd8f23edbb25 |
51 |
1 |
NetWire |
Joe Security |
Joe Security Rule Set (GitHub) |
f1f1e749b0e91b9e079a2fb92be3e128291eda84c02064028a1d037f450f864c |
51 |
0 |
Suspicious Execution of Shutdown to Log Out |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3970bd95a88d05869fab2e89b8b02fda81406f83ecd9e197b1249a06a3f8eb62 |
51 |
14 |
Registry Disable System Restore |
frack113 |
Sigma Integrated Rule Set (GitHub) |
39ac4b0484423463b1d746fc5446062ea1299bec08a2dd2bc058efcd9c06f2e0 |
50 |
8 |
Suspicious Unblock-File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
71c164abf414b20e2e799e16de648202a68a8205db9f81d0dd28495ba9ce1ce7 |
50 |
20 |
Mshtml DLL RunHTMLApplication Abuse |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
81da16a2acd4f2ead3a5744748fade75b7d63b7ec6498731e5106bf2d48265b6 |
49 |
3 |
PUA - NPS Tunneling Tool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9b4f9dd1295bf299dba100d2a75a3f7188ba51a90dda3e0bf371708f55a40507 |
49 |
3 |
Possible Process Enumeration (Sysmon/Windows Logs). |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
1b3947466060dff55a89da9e24ec34cca8df9c4dbf704a3b3a9120eb3df96e3a |
49 |
25 |
Renamed PsExec Service Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
80d7ce564675dedfdbf8c13540cced6343bb1708c20306349a108b369920509a |
49 |
9 |
Windows Firewall Disabled via PowerShell |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
a0a3572f7e566559cfcfc8970108fc01b0ad35103e76b5359955ed4c7d4ac60e |
49 |
3 |
Suspicious Get Information for SMB Share |
frack113 |
Sigma Integrated Rule Set (GitHub) |
78af9841681cc3ae06f2b42827aa5b5f54e7e1cd67967a87cc99a5e7d4cfe18d |
48 |
30 |
UAC Bypass Using IDiagnostic Profile - File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
31d928b4b0adc82d81a6490585e87953d808c285ed5d3b25bbe1a461234e37f6 |
48 |
0 |
Query to Ammyy Remote Access Software Domain |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5d5ea99f7c040a6706db9d67e16b384eebe02132d410d1f9edc4131c8045469f |
47 |
0 |
Replace.exe Usage |
frack113 |
Sigma Integrated Rule Set (GitHub) |
067314a472e516edad2a871cb6ccc07c4490f9e36622e820cb8d7ff88b0f9fd5 |
47 |
25 |
Request A Single Ticket via PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7b7092f37f648c00a538947e2cb178b5c50e31e552b8bff8251ffaf4d4e49a68 |
47 |
6 |
Suspicious Whoami.EXE Execution From Privileged Process |
Florian Roth (Nextron Systems), Teymur Kheirkhabarov |
Sigma Integrated Rule Set (GitHub) |
f3863a9acecacb856747d09b6541ff99d6245853902c8785a4d4985fde12bf22 |
46 |
8 |
WSL Child Process Anomaly |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
39a511112093810c2b82b35c4c8575b0f249dc7b9e8631fe75c6481c5c7e2658 |
46 |
0 |
Rar Usage with Password and Compression Level |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
02930d34935e0616b2711790272271498e2a5a03bcf66372f0985d2e89cee1af |
45 |
0 |
Office Applications Spawning Wmi Cli Alternate |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
4e7dcf0bdb7133795dc5f59a3dce3f19d7a78ad417e3b41e7dea915b76bdfd5d |
44 |
0 |
Powershell create lnk in startup |
Joe Security |
Joe Security Rule Set (GitHub) |
fd5c77e4a6ca9deb325d7525e8219d80cc70e6bbf765e2d75ab4f30f6be7cc9a |
44 |
9 |
Regsvr32 DLL Execution With Suspicious File Extension |
Florian Roth (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
f64c98dfb55189f8f65b8dc8c77a020a4c869933083e1b3ef087e4dba264e864 |
43 |
0 |
Rundll32 UNC Path Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e3e74fa33e688408b75baa0f3988d754504296233bf1904baa587d8b17e3c4f8 |
43 |
7 |
Communication To Mega.nz |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
f13e798225ef1d32c44d8511ab7c95a58e93d46b8c833bfb47f55eb5d9bb69e2 |
42 |
18 |
NjRat Detection Rule |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
44649563045e4b39ea5ec24c20ca7aa44cde80384aa9b3de04a8bb30862d934e |
41 |
0 |
Use of FSharp Interpreters |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
ab87de6df917b48304e512d979d27ae1a0c4b3b63106217afe10aa1059195e7e |
41 |
18 |
Automated Collection Command Prompt |
frack113 |
Sigma Integrated Rule Set (GitHub) |
511fcd38b1cd4057f3b3568707032548bac72899a4b3c932f3614c6d89d417bd |
40 |
9 |
Bad Opsec Powershell Code Artifacts |
ok @securonix invrep_de, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c536e387a5fd3183e46be3c9a492ab73e5ade9b45179341ea25fcfe383cee92d |
40 |
2 |
Changing RDP Port to Non Standard Number |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dc0c536bf76ee17ec594024c9b331e97f259d945e0c52ca0f468b6d323906d8b |
40 |
8 |
Powershell Inline Execution From A File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cbf84e925032ab806dad545cb848e4318b275d75f3a40c8cb9664e0172444779 |
40 |
4 |
Suspicious Execution of InstallUtil Without Log |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f87a49b6d1417f2f418f84c8a8b3d23964133dc7c1b7e18b02a1d2b8deaba8a0 |
40 |
21 |
Suspicious Hacktool Execution - PE Metadata |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8b5d84914e5e7715fc7effca7b1d2ad513d7fee3b5afb0e324a42c2d3103cd49 |
40 |
0 |
Cscript/Wscript Uncommon Script Extension Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1168f1f8b0347e370d4f049726cef5752fdd4db77ea2e8f33d611739f3257b7c |
39 |
5 |
HackTool - Certify Execution |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1feb34fc6cb1b6cc6e7f79cf3437684366634b5dbbdfd6e053e0f07cdecdd327 |
39 |
11 |
Qealler Detection Rule |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c8b5691bd0f6cb0670869259285160320643f60ba111d9c93b81c6bc5e088037 |
39 |
13 |
Suspicious Get Local Groups Information |
frack113 |
Sigma Integrated Rule Set (GitHub) |
098feee88c8a66070a3ec1f3c56be0ede46676cee2b799ba6d309360ce563ba7 |
39 |
15 |
Sage Ransomware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
71d449cc65c29ab2e4fee214298f208b87225361a0f65f0f2e73bfd7875b1ef7 |
38 |
0 |
Disable Administrative Share Creation at Startup |
frack113 |
Sigma Integrated Rule Set (GitHub) |
529a42d20f26a0247c669d877e7a0260adfafaaf2627c9f33ad4d8b571e8d20a |
37 |
0 |
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
30c408d940a17c92bda9a7a3661343cb4849cb5206311af462dfa18993f9f0c7 |
37 |
0 |
Potential Homoglyph Attack Using Lookalike Characters in Filename |
Micah Babinski, @micahbabinski |
Sigma Integrated Rule Set (GitHub) |
f311f45a27e981db5c1aff6b1880679af30210f2426d026f442a886afec6ac05 |
37 |
1 |
Query to LogMeIn Remote Access Software Domain |
frack113 |
Sigma Integrated Rule Set (GitHub) |
44c5e7c7bdc6965af0ddf07703f708dcda09e583e4c473d7b247067132a8704c |
37 |
18 |
Suspicious OfflineScannerShell.exe Execution From Another Folder |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9c3168b8b2ff965a5cf3ed36f4ce722df9e09021fbbc44075916c77d2132bc8f |
37 |
4 |
HackTool - SharpUp PrivEsc Tool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b9df87571912714cc7a36f7a1ca3fdd9625d8ccc37a12862bdb202fba7c22869 |
36 |
1 |
Netsh Port or Application Allowed |
Markus Neis, Sander Wiebing |
Sigma Integrated Rule Set (GitHub) |
7b1f3cd9ca9b55feb5fdd5c8e1821348f2d78745282b41055af44f88df612112 |
36 |
2 |
Suspicious Rundll32 Script in CommandLine |
frack113, Zaw Min Htun (ZETA) |
Sigma Integrated Rule Set (GitHub) |
ee7fc4aa3dcf06ddc37a9dc24c2fe5a2d394cc53d560d2214a8f5455eedb6291 |
36 |
3 |
Testing Usage of Uncommonly Used Port |
frack113 |
Sigma Integrated Rule Set (GitHub) |
45fddb986c296e8a5cc65d9e7d93b5666adb505378e865f501b8a9946a4cc8fe |
36 |
11 |
New DLL Added to AppInit_DLLs Registry Key |
Ilyas Ochkov, oscd.community, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
6f134f381913ef9221138f615280ca41e252e823168d7d580ab6e713e10beca2 |
35 |
0 |
PowerShell Base64 Encoded WMI Classes |
Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1d5a6acf8297313dfc47ed41e174ccbdcf2ac0a174e059a599f880ad761dfe89 |
35 |
1 |
Script Event Consumer Spawning Process |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
99d3f28b790cc9edbf77b5fddd446d2ec05f85ee550310a2a3863e3171a9bd54 |
35 |
0 |
Suspicious ScreenSave Change by Reg.exe |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a87fe4afa527fd01cbb17ee26918bbf87dacf9b429f97ede32b8831532ec4d59 |
35 |
7 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
2638e4eb6733f565f75759fc7f3c7b2ce2d92f7a231f14859cad11aa82b929e9 |
34 |
1 |
WMI Execution Via Office Process |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
58a51088691ea6b0bb320e61f961a96216f54913353095e97a5b5c6e94ce74fa |
33 |
0 |
HackTool - SharpChisel Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
23eb4319cc6c1995a632adb591fa9b089822a7ef6061519fdc43832fac6bfb69 |
32 |
14 |
Potential AMSI COM Server Hijacking |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
738acd800035a9376f9c5ed9937f647fdc87ccefc57ccd0fab07a3fc108fa255 |
32 |
0 |
Suspicious Key Manager Access |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c7e5c778b0f4b6273f393fd9e32d97fe4145b2b1b3a8de87a9e02cd66f9c4383 |
32 |
32 |
Process Explorer Driver Creation By Non-Sysinternals Binary |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
99c7a3c2ca557dc3ff22980e34539383c6be02b29d75aed44570e5292dfb47cc |
31 |
0 |
Scheduled Task WScript VBScript |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
58bd50bf4c2f3dee57aac7f6c2f5671bd781f59b9e71a8c191de01ef8cf53de0 |
31 |
0 |
ScreenConnect Temporary Installation Artefact |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cbf91c8dea063cd256525b4053b25b4afe0528021d02d0b0d380321ebc5c9a7b |
31 |
14 |
Suspicious File Download From File Sharing Websites |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
81df8b624648173975c91181526939696ab64698fa03b22522b81744d5cc10bf |
30 |
30 |
Suspicious Powercfg Execution To Change Lock Screen Timeout |
frack113 |
Sigma Integrated Rule Set (GitHub) |
82b3e64b1ffbd6e42b9c816c24dd39f029501b0a8e06e337701dfc101f978f0d |
30 |
8 |
Monitoring For Persistence Via BITS |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
f9b2dcdba235a40678fcd4411540f98adc4caca054a247054eba6b040b37243e |
29 |
1 |
Suspicious Get Information for SMB Share - PowerShell Module |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8f4c645fe661dc0ebdeff288f1761a20acf930f02e4c51bc48e6bafc245c1006 |
28 |
21 |
VBScript Payload Stored in Registry |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dc67cd797236fcf12f7a5e58c0d5fc50318e74f58c9d17e6bf7905e87c5a9c21 |
28 |
0 |
AnyDesk Silent Installation |
Ján Trenčanský |
Sigma Integrated Rule Set (GitHub) |
8c68ebe0db23e4f70c3621d56e4ce298dcf255e61288342e6b4760dd0af96c85 |
27 |
0 |
Netsh Helper DLL |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
67f08eeb3f74c7dcf4b8985150f3df56b390aec0e1d3edb45a75c360f73c0134 |
27 |
20 |
Network Communication With Crypto Mining Pool |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5f96c8ad390b56fba16309ec092ccde0290c7896bd2bfd7c49b738c77dc36bde |
27 |
0 |
Renamed Msdt.EXE Execution |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
547b4f9fe578b9d949c01be391e76decb1e95b632ac54aac474eb858c0f1f5b3 |
27 |
1 |
Suspicious Eventlog Clear |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a049127770d6c92e914c0806277852c3b69f5e9cc86ca0f687e50e60c12d8868 |
27 |
9 |
Suspicious Nmap Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4225d7662d0eec6d20893e2e9f75328a37cc7a24ba7f1932e3c993cf482e46d5 |
27 |
13 |
New Generic Credentials Added Via Cmdkey.EXE |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b71ea6893f3e92a9d7d7ffb0de6a327a1a755b01c115465f079fa8cce81013d5 |
26 |
12 |
PowerShell ICMP Exfiltration |
Bartlomiej Czyz @bczyz1, oscd.community |
Sigma Integrated Rule Set (GitHub) |
504cd1bcea14d3f138e4253108d6978349e99adf5984333e0d5d78865dd1a481 |
26 |
21 |
Suspicious File Downloaded From Direct IP Via Certutil.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bba68f86faec56fff7827bdc8b4bb20cf69d80ccf8c956daadc7bd68839665ed |
26 |
1 |
Taskmgr as LOCAL_SYSTEM |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1d1e002f037bffd9b91901474efbd1036622a788849898b81570d37d3ba34513 |
26 |
0 |
Remote Access Tool - ScreenConnect Backstage Mode Anomaly |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d5b76fa3cab42361e745d7a1c59d40820a1cab108d30fd2d9fef6c3aade085b4 |
25 |
5 |
Potential Suspicious Windows Feature Enabled |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cdcec55ed90affa3868db81d308f5a76204c51b717f1cd5ba3c9feee5ce926ec |
24 |
17 |
PsExec Service Child Process Execution as LOCAL SYSTEM |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f568e89bc8387361d0bc168c8a46059280d10de1ecffdc0e99533b7b290401af |
24 |
2 |
Run from a Zip File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5cf936f9d2feaada449504fe406fc44b2ee6f674a4433863662f135096618431 |
24 |
6 |
SQLite Chromium Profile Data DB Access |
TropChaud |
Sigma Integrated Rule Set (GitHub) |
bfe106c088dbc3f0a1e36442a1cffcf01752c0edc0253863c36640731be1e240 |
24 |
0 |
Suspicious Sigverif Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
56643225c1e622a648289fb75934bcf15ac76a8bdb22a911e9f06d61e7db7077 |
24 |
0 |
Sysinternals PsService Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
647bce287d915da46bf01fa65706878514260f75bea7273d4c5eee115ac0b031 |
24 |
6 |
Enable Windows Remote Management |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7f8fcfb39f92617ac21dbc51e4c66b0663520cef30300bc28dd89572f6574253 |
23 |
4 |
LSASS Memory Dump File Creation |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b0e4aa7c882545a1b46a09c373f3abc99ee9ad92c5cb99e1b8764356501b3059 |
23 |
0 |
NTFS Alternate Data Stream |
Sami Ruohonen |
Sigma Integrated Rule Set (GitHub) |
535b54123e1e90e346eb48779d2bdc19508f9a3aef7f7cf48bddbbd43f953478 |
23 |
9 |
Service ImagePath Change with Reg.exe |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3a4567bd735e7ae20a9b3bf3921ad6e9acdec3b957cdbdb4eebfd6feed5670d3 |
23 |
5 |
Suspicious PowerShell Invocations - Generic |
Florian Roth (rule) |
Sigma Integrated Rule Set (GitHub) |
d0b30db49f680fc7c412d09dc2099e655eb262fd5ef5b03fb5304663ab79137a |
23 |
3 |
DllUnregisterServer Function Call Via Msiexec.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2e95aeac423a48e1ef8f7275c2f49a8fe3fe9a7e83b9db9f856d1f2d3edb1a10 |
22 |
11 |
REGISTER_APP.VBS Proxy Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2d663b64fac0627c9d7a810d3e1e3c10a5321e0d9f0ff82bf3f9ade891ad15e9 |
22 |
10 |
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9c7804b6bfb1ca0e93a863185af19f14432fde4b07d2ac68fb1a44032467c98a |
22 |
9 |
Suspicious WMIC Execution Via Office Process |
Vadim Khrykov, Cyb3rEng |
Sigma Integrated Rule Set (GitHub) |
651f584b690a75e06a7e634cec7a11b17555debdbfffe3f765a988b80ffeacbf |
22 |
0 |
Use of TTDInject.exe |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ce2c1d30a6032c8bf814508ea0142036631b7b690cff7d809dfac541ddf4c01a |
22 |
15 |
Access to Browser Login Data |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d3129d20de2d7890e0b90366b7a86a16ce9ca2c330c67005b72bfbd4105aa6d8 |
21 |
5 |
Change Outlook Security Setting in Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ad1841979098a6b76c24ea780263b9da230373dc9a0d48d841538ec02cecb447 |
21 |
0 |
HackTool - KrbRelay Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
03e06bc61499c16b25ec22e9681f9e9633dc812e30ec543e7a5105ecbf3220f4 |
21 |
0 |
HackTool - PowerTool Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
24223dcd765ae37fd40f3af1054e55119422246e8933dc29b1debbd1cfc67d00 |
21 |
0 |
New Shim Database Created in the Default Directory |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c028d3fbfe3db756b5129f320616cde63b9929b02e91fb76c1b12fb726eafb71 |
21 |
11 |
Potential Renamed Rundll32 Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6473e93a221b66c30b661dabfde02604f395c46f8e019efe0b3db46cd7dc03e7 |
21 |
3 |
Potential Snatch Ransomware Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d48381be3227e49cd9d42fdf472184d9e4db1b4fbe72ee6048739f0af5913e9f |
21 |
1 |
Powershell XML Execute Command |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b8a4fbd826f854871ab62dc0ad49ae048575057a6293a2c8109f04b8662a8162 |
21 |
14 |
Suspicious Cobalt Strike DNS Beaconing |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
b55c667fef3a16ff308f801e44896c36f9754c98321c12bc516a13477130f4fd |
21 |
0 |
ImagingDevices Unusual Parent/Child Processes |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
95fe2608b1dadcb60e16a7627b715b848f056f452fc93639201d185bd1c91a25 |
20 |
0 |
Mstsc.EXE Execution With Local RDP File |
Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock |
Sigma Integrated Rule Set (GitHub) |
4476f97756130311a92e0412033fd3fdacf6c62d0eb95901dcab7519a0236740 |
20 |
10 |
Set TimeProviders DllName |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4644dba35bcca22688aa47798c36c6f13bf03864da995c52366df9c473e02450 |
20 |
0 |
Vulnerable Lenovo Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b05e5f1c810aad917ec95aa917177c7a3075f44d37d2ed2b21e953dc69c99eae |
20 |
0 |
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1bccdc208f191ae10d0fa42675f08a37e14e4f39ff07da3fc0c15510993f6e9c |
19 |
2 |
Defrag Deactivation |
Florian Roth, Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
8428866bf6cbf8ea04c18dc9a8ebd493a8a882a9b706b557f71d376cd69fda79 |
19 |
6 |
Office Macro File Creation From Suspicious Process |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8f4f518c1c5f1faa9ad744166d845016dc78c82b4c7f38011fa687462b1afa18 |
19 |
1 |
Powershell MsXml COM Object |
frack113, MatilJ |
Sigma Integrated Rule Set (GitHub) |
38c7f03136a955c75f92f48bde1f9544a6d996418d05fae60f1efc916f0ea88a |
19 |
2 |
UAC Bypass WSReset |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
03fc63d53dd6f6eeb7fef5848db2e4cd11fc7177c187c398320bb3934b751d87 |
19 |
8 |
Hiloti Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f8a63428721bcc8ad6de541a48e0a1f21d8e73a4f114603bcb7e9066042c502c |
18 |
15 |
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a4380ca308017f92e049147ec46e562ab46b9642b1952944647bb9bf85e4c95d |
18 |
0 |
Mshta Spawning Windows Shell |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
464455b93d1b76acf868754cca0e609af558267671ad641714ca27a923efb9ba |
18 |
0 |
Potential Homoglyph Attack Using Lookalike Characters |
Micah Babinski, @micahbabinski |
Sigma Integrated Rule Set (GitHub) |
a2dffac0fcddbca9dddd5b57f9a9841ae8948007b05988ff3ba4b101da5fcc45 |
18 |
4 |
Remote CHM File Download/Execution Via HH.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5544bfe63d743fba858c3a75c7dd46a76520367a1278b1fe3d5c5609dc42fc4a |
18 |
10 |
Remove Account From Domain Admin Group |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2b323eb1de293c4dbf91041f23c3507c4aaf71c4bc36b04ccb8fc5731995a398 |
18 |
2 |
Activate Suppression of Windows Security Center Notifications |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3729c929acbee7cae1291d3e460c3e673684211679e8a94cbd1297192aafdd06 |
17 |
1 |
Cscript/Wscript Suspicious Child Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1a5f4db4505797dbb968725fb6bf6b357968abf23fbcc6b92acd08a6214e3e4e |
17 |
10 |
DNS Query for Ufile.io Upload Domain - Sysmon |
yatinwad and TheDFIRReport |
Sigma Integrated Rule Set (GitHub) |
948e697920a298ec6250c9c3157174bb53f162acfe6435ef673ac34c61021f2c |
17 |
8 |
Deleted Data Overwritten Via Cipher.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d3e54936275abafa46d4b77891ec8f7fe6dd55d420fec613476144dd5d26f1a7 |
17 |
3 |
Disable of ETW Trace |
@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d85308a28516fa075ee74a4ffd11aea2be1f15add944422ade0969027648a3fa |
17 |
1 |
Discover Private Keys |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2a86897d4c284135c8e21105377149da6e12d9f57525bfdccdfb55cf4b3425fc |
17 |
1 |
Discovery of a System Time |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
18ed38c04ceafb2aa0b9dcb106310ce76cb1473a4109b6a489663f5c250bd2a6 |
17 |
1 |
HackTool - Inveigh Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2bfe4c7c4dfa23e7dbcb187f2cbe57e783da76cc66114dacec73520935d9bf78 |
17 |
3 |
Hacktool Download |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b995506076579a8c1f5b600eca139df5fd016994aab5c3865a4f7f7cd0dc3931 |
17 |
0 |
Potential Persistence Via Scrobj.dll COM Hijacking |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9d0ab0b7154dbe461f0e116296f545e8955e0c85892bcff2de2b680e29ba2af3 |
17 |
12 |
PowerShell AMSI Bypass Pattern |
@Kostastsale |
Sigma Integrated Rule Set (GitHub) |
a7940883a0164e9f8e04f1c88ad85ebf44ddd11d7a06aa93f7c42c3111a33d01 |
17 |
0 |
Root Certificate Installed |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
80e21a1883c10ba77d6f4a1b0b6903e9ba65d57e1874d2cd81b121f762481c64 |
17 |
1 |
Service Execution |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3edfb66bbbe5056c7df0064ed6164a68632d8d476ab015091e0e33f5159d9052 |
17 |
1 |
WMIC launch script from xsl file |
Joe Security |
Joe Security Rule Set (GitHub) |
cc58aa96e11657d0df0ee460019755b19a5929a979fdadd56569d6b35c03fdba |
17 |
0 |
Bazar Loader Detection (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6e25203533b4bcc3b9ce1805fbf4ec196d2fd6139dcf17880caf0e2952c3ebfe |
16 |
1 |
CertReq.exe Lolbin |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
bc9b5e9188d37350da57ebc0b5b9ccc8a2ee828e827a15edb38904b64317a291 |
16 |
3 |
New Service Creation |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0e01e0ac3c9d7b292996c00466851ff64ca8e3aabb384b096bddba88aa769464 |
16 |
0 |
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2abd81b6396ea687490b2d703ce07c1abd135ba398d89ab839c66e6a43f713f0 |
16 |
9 |
Raccine Uninstall |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
ce4fb10349cd95756b2f98a27b259d71c99ec9e0323815f2e916737fcbd1d4ba |
16 |
0 |
Suspicious Shells Spawn by Java Utility Keytool |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
b7e93e0475f0c46a1c6bfd3f1f401e0a34bb9c8d73e2308101ed1368b5189de0 |
16 |
0 |
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0caa50babf4475fc8fa04167d47d87d1e0d04294b8534c19e180e2c9dde0012e |
16 |
15 |
A Member Was Removed From a Security-Enabled Global Group |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
1d6eea9825839d71a79ed93bd0f383b8826d8a1ca80c0d063e7f43e648b2d67c |
15 |
6 |
Disable-WindowsOptionalFeature Command PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3becb58829ad8f8f58a8716e0deb90627269a650475809ba1704d3facae71a69 |
15 |
6 |
Fodhelper UAC Bypass |
Joe Security |
Joe Security Rule Set (GitHub) |
c5017f04443b7c88d4fe320734d24f38108f67663239bc00f5c164081e9b5e0a |
15 |
4 |
Microsoft Workflow Compiler |
Nik Seetharaman, frack113 |
Sigma Integrated Rule Set (GitHub) |
360867571c752aa9ec6da95a6c3db7a37dda60e6627df594f31f89692b8063d0 |
15 |
8 |
Office Security Settings Changed |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
7210b6208abd6826bfdb8d8666ae792549157fe8070e355cad577fd8f9ef6499 |
15 |
0 |
Password Cracking with Hashcat |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9621c87be63b1ea5e038a8d2759bc0bbe6a5ee4f322b9763fdc06f159d781698 |
15 |
6 |
Potential Attachment Manager Settings Associations Tamper |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
beea9838b890b61ccab05d6321880b112538b784e3caf82454293c4c087caadb |
15 |
1 |
Suspicious Auditpol Usage |
Janantha Marasinghe (https://github.com/blueteam0ps) |
Sigma Integrated Rule Set (GitHub) |
33a4a18ae1a3802586c239be79075294541594b5b603c230af39618577e03fae |
15 |
4 |
WinSxS Executable File Creation By Non-System Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b98d05d95e8a26eef6f1edf143064928002638d3a45c7a007a16c7b3bb5a9cd7 |
15 |
0 |
HackTool - Htran/NATBypass Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
becb1782f61cc6f06558e9bdda4cbc531606bfb0b4b92c0667d6dbde99a67b77 |
14 |
0 |
Lolbin Ssh.exe Use As Proxy |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
2055166f6099144ebb73ce53abe7aadcd74447fb30806756d8fe22ac92352f1d |
14 |
13 |
PUA - DefenderCheck Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d29242190c6dffd993895588fbb9a2918a3e0e636e3cd6560339d9ae469f3bdf |
14 |
0 |
PowerShell ShellCode |
David Ledbetter (shellcode), Florian Roth (rule) |
Sigma Integrated Rule Set (GitHub) |
a8f93a6a21c54d549a6d042e48c067948add81f96231c70f83cdfa345b1f6cb3 |
14 |
0 |
Powershell add exclusion path, extension and process |
Joe Security |
Joe Security Rule Set (GitHub) |
177e7b167f988da0ec82090f6aaaa1ad7e74609b6832a0abb8759bc9e652fee2 |
14 |
1 |
Powershell launch wmic via class |
Joe Security |
Joe Security Rule Set (GitHub) |
1f85dfeaa80a160e0d553a3ac8d1d5139a7622d4d146c43f52eedbe005757ba7 |
14 |
0 |
Service DACL Abuse To Hide Services Via Sc.EXE |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
31469fa3c8d37b7e80913d07ce5549c9371e193ac3f0d3211f519adbb2de950c |
14 |
4 |
Suspicious DumpMinitool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5756a38333b7f693b74fb2c16621de4da8e6e821acbb692ada0984c90768ca6b |
14 |
14 |
Suspicious Use of PsLogList |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2a651ab66176323248a00a1c8f2e0c1d6e82ebbcb2c316bd3a1bce5391cc6b28 |
14 |
3 |
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6a048234462e46cb2ce5b49006ff2d3e6f3a58ef583716ceaf74d911b04c1a85 |
13 |
8 |
ExtExport.exe abuse |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
b74bcba954f168601bf9276abbb38f732599a67e11aa264ce29f8bc3f056aed3 |
13 |
9 |
HackTool - GMER Rootkit Detector and Remover Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e47f51603e07d3225e0193822f65d9ce5fb78441750008f7e5ae695626585c7f |
13 |
0 |
HackTool - SharPersist Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b0c69b8d2020a5d6c12bee42bba9e6d94b6b9045ea1920405133ee19546dbcab |
13 |
0 |
Impacket Tool Execution |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
bcdf3f22e3474c8f1ea65e450422f64bc2fb74de766f420de7cd57827679d7f7 |
13 |
0 |
Interactive AT Job |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
c288d5891a082dd1f38d14b832960d7e1b88651dc301c6985be8e66b561bf95d |
13 |
0 |
Netsh Port Forwarding |
Florian Roth, omkar72, oscd.community |
Sigma Integrated Rule Set (GitHub) |
00fb9d21500af7c2b136a91e80c983e8f98843c063a63898c2775d7a5a91efa9 |
13 |
2 |
Obfuscated IP Download |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ffc754712d43996d8ad6fc8498ab7057e29da0a46860be0cb0daab6dd58f1afc |
13 |
1 |
Port Forwarding Attempt Via SSH |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c815b3703c48114366c7be5b543fc8851073e1b27fde789d784a09a657295a9d |
13 |
11 |
Potential CVE-2022-26809 Exploitation Attempt |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a212f91d8c2a0d339c91a9344ae02c2847e74c85458506b719d65b59e4e79069 |
13 |
0 |
Potential Process Injection Via Msra.EXE |
Alexander McDonald |
Sigma Integrated Rule Set (GitHub) |
973e933a4e2394093f5cce603e5ffadbcf35df2afd29c4dc0e1a002e06d9b58b |
13 |
0 |
Powershell Keylogging |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ed239970ee8d5e197f594aacc2fd6f6f6d3dae189b2b2aaea8c2f5d100939e42 |
13 |
6 |
SQLite Firefox Profile Data DB Access |
frack113 |
Sigma Integrated Rule Set (GitHub) |
aa3ad15f592c022521aa6e4bc687dc3c181cea9b9343b55e1b909bc937113348 |
13 |
0 |
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code |
frack113 |
Sigma Integrated Rule Set (GitHub) |
37beaf97b85714dccecd452e684c29d067adea49095ddf3ec6631dc8acf14337 |
13 |
1 |
wmic launch powershell and execute encrypted script |
Joe Security |
Joe Security Rule Set (GitHub) |
016a456c70d6e45a65219e2ee0e3972cd7104bf98c318e2f088a07f71fde0d43 |
13 |
0 |
External Remote SMB Logon from Public IP |
Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) |
Sigma Integrated Rule Set (GitHub) |
676272e187514be2245c3e99449f737c2a5ccd25c5cc68d52d965c7638c25fdf |
12 |
6 |
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy |
frack113 |
Sigma Integrated Rule Set (GitHub) |
59b625af50fa92cc05953cfdf68d6c931bb58a09a058e54757d152acfce5923c |
12 |
5 |
Possible Applocker Bypass |
juju4 |
Sigma Integrated Rule Set (GitHub) |
b9996fdb64c94bd97526744b8287a3b3b02ac4eceff0980c672209adae0be6e5 |
12 |
0 |
Potential PendingFileRenameOperations Tamper |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3b132597acd67d1315d83f5f329eb2db40a281a5c93df8881e681ba8d6af5a59 |
12 |
0 |
Potential Remote Desktop Tunneling |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
b0551b45d814be91563636b774668bc85acfc296a30640e00aa036f4813d0809 |
12 |
0 |
Use of OpenConsole |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a98f3c123f3a93c1b00c4d125f1350e14a15b206767e6a109767a0229611baa2 |
12 |
12 |
Creation Of a Suspicious ADS File Outside a Browser Download |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c73db505c48b84558f4676b0613f79f5cc2c70db3a96086c3a010c535c245530 |
11 |
0 |
DeviceCredentialDeployment Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
63437b0e9c5e21d2823a28f0a428ee4bad8d30ba59ddbfb9227fe13452f1aebe |
11 |
1 |
Enumeration for Credentials in Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cf1e24c4e4b805857977d873b41de8cf08d618fa56ffb27ece5e9b41e84807d6 |
11 |
4 |
MZRevenge Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
34b4fad92956929789617ef0c367187e5950267fc9fb902893bf5a6583ab5439 |
11 |
0 |
Nibiru detection (Registry event and CommandLine parameters) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8bbea961d969188574b7fe958c971caadd38b955cc77f21093d7d5d266e4d697 |
11 |
0 |
PUA - System Informer Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a00758f1aca02cbafe08dfea3c9d6fc45ef3972d7e1ccc41ef3df19293c36d15 |
11 |
0 |
Remove Windows Defender Definition Files |
frack113 |
Sigma Integrated Rule Set (GitHub) |
bde07bc9414d410eaf67f99408a24b51b4b8d186451e641a9a90076cfac22613 |
11 |
0 |
Suspicious Encoded PowerShell Command Line |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
09a6527b05920e47aecbebf5df306d1c194b850076e73d74c3b9ead23b654425 |
11 |
0 |
DirLister Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1f0dfd07d0caa1048bb3bb336c0d72bf884362c570c7a4bd683aa30e5f81ea19 |
10 |
1 |
Drop Binaries Into Spool Drivers Color Folder |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2ef7bdcb98df6e413074966907c161b915f676e3f947a452e418049eeed22b75 |
10 |
0 |
Dump Credentials from Windows Credential Manager With PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5058b79d96d2165425d539e148ae3fe578dfa62b75b71f82ca2bd6bc347be4d5 |
10 |
2 |
HackTool - Rubeus Execution - ScriptBlock |
Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
98b35d6064ab9d23d69cf136567c9243c969bd5a1bf0f88f94c768bb1c624d71 |
10 |
0 |
Hidden Local User Creation |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
084f8f629ce19b2d68d7e27615e59a3ebea0e92f94d25fffcdf6981152cf5efe |
10 |
1 |
New or Renamed User Account with '$' in Attribute 'SamAccountName' |
Ilyas Ochkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6c5cfe607309f4bc96c1644752af6a875fd27ea6910ddff26e40a4ae64a26e05 |
10 |
1 |
PUA - 3Proxy Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b64369f53ef70c3d7e1d585af2907c0131463758488f404288df85bbb2891ee7 |
10 |
0 |
PUA - CleanWipe Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ede87d3abc8a99be3ca19ab4102e923f13e3f7b181cde6eddea9e6f1593b1e77 |
10 |
8 |
Potential QBot Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0453733ce01d4d10623584c342bf2a905ff761f1fb7b0bfbadcb80e8d940c32b |
10 |
0 |
Renamed BrowserCore.EXE Execution |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d41dfd30129ef96d21bf50a0af9161636d21ec67ec25000786a06ba54a7cb7b7 |
10 |
1 |
Suspicious File Characteristics Due to Missing Fields |
Markus Neis, Sander Wiebing |
Sigma Integrated Rule Set (GitHub) |
608e0e17d25bcba31de608552a073a6677d4f626ab55bce353a686eda3f60bcc |
10 |
0 |
Suspicious Get-Variable.exe Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d3f846e7661da10674d978e09815c9157764a57fc6651e2b2f8cb498cb4220b0 |
10 |
0 |
TAIDOOR - Chinese RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e3cdbb4de2c006685f06e358196d7f41ab1098005328b93d9834acae72ddaef0 |
10 |
1 |
Use Get-NetTCPConnection - PowerShell Module |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e69f9e383811e595a9561c923eddfc5df48f9e54f4df8fa281fcef6b501048ac |
10 |
5 |
AntiVM |
Joe Security |
Joe Security Rule Set (GitHub) |
53c56007ae94680c26786bcd895d2087db975d72635c0646c8e0ee8b2ca6539b |
9 |
0 |
Code Integrity Attempted DLL Load |
Florian Roth (Nextron Systems), Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
02c7efd9db64dc8e5d5e82d3bba880a3b1ab9e0fec19e15c668b9a63e1d58fb1 |
9 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
25727cb75bc931bc91e433f5340be32ccedd13bf460a2fd8da5b1a8d8b4a369b |
9 |
0 |
Direct Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b5f76af9d8101930af8d4fee71f3a5395b47eff6bb88e581db02bf890242d79b |
9 |
1 |
Disable Microsoft Office Security Features |
frack113 |
Sigma Integrated Rule Set (GitHub) |
db422d3f89e405109467a926cbee52085ff1a33cf97bc054529a03a316dafa2e |
9 |
0 |
Disable PUA Protection on Windows Defender |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
09a64c87ba1b11c75a19c495d100b0ef9fa95955560f0e1b4f9f2842159caaef |
9 |
1 |
Dumpert Process Dumper |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
f98998b2f0e9bb08954d741777bfdb257c7cb3dcce96f88af84ecf966e2e5695 |
9 |
0 |
Enable Restricted Admin Mode To Bypass MFA (via sysmon) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
7b0a12d70498be6b75106baeadc6572fa8f03b6e6ce96998c3c84f14e5dd19a6 |
9 |
5 |
Geofenced Ru |
Joe Security |
Joe Security Rule Set (GitHub) |
562da91a76462659002a010f3f5e20f6ea8d3c7771e342dce7b3d0b5b2421eb8 |
9 |
0 |
Import PowerShell Modules From Suspicious Directories |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8d3babfc30026e6742962ab48698047f9a8036f0689ca28804828a0f4c74c1a6 |
9 |
7 |
Inveigh Execution Artefacts |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
04a3ff78807e08f6f792e8645f0d500d0b8ee72ef7ccf43d29295bda7cfa1c51 |
9 |
0 |
Legitimate Application Dropped Archive |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
0b57c6b31ce9eea5f85c018839666b92eb3444ccbb55a5d93f7b89a74cb7daf6 |
9 |
0 |
Locked Workstation |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
b1f5ca9566ca9b549b32bfe57eee2e7ec1ae42a47aeba5cdf24c69c64e35dd5f |
9 |
3 |
Microsoft Sync Center Suspicious Network Connections |
elhoim |
Sigma Integrated Rule Set (GitHub) |
c122f750d19364e5cdb16e7fcce3cd01da31e9d258cfd5dc255864758d7d44b9 |
9 |
0 |
Potential Keylogger Activity |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6e703d50e111ee23983e8b6aa4d4451e1e59158b2bb8bd0c0a7bbe38c708c4e3 |
9 |
2 |
Powershell Trigger Profiles by Add_Content |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9ed950c94ef5dce1af4ac6ba1eb25704edd170e1a75506e3095eb362e63eab6b |
9 |
6 |
Query to GoToAssist Remote Access Software Domain |
frack113 |
Sigma Integrated Rule Set (GitHub) |
543100b86d56272595d663cd87539f09fb01e9ce06b5d847c2bc9ad88710b17f |
9 |
9 |
Registry Persistence Mechanisms in Recycle Bin |
frack113 |
Sigma Integrated Rule Set (GitHub) |
661375a6a064f858d66665c13895d00ce56bb356ccda48cbc40727b9b6f4e220 |
9 |
1 |
Shedule powershell with encoded command parameter |
Joe Security |
Joe Security Rule Set (GitHub) |
915a39321a250831a95cbb6b6598214820d1be1095aee6555106a9ca7d02a36a |
9 |
0 |
Suspicious Scheduled Task Write to System32 Tasks |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
3da113395881b8606ab35684394038c9c59eb8dae1b899ed92a2c40df104f5aa |
9 |
2 |
UtilityFunctions.ps1 Proxy Dll |
frack113 |
Sigma Integrated Rule Set (GitHub) |
49b5176aaffe3fdb7bacc0dff70b5ac48bf0872faf993e311c4f5530db76a160 |
9 |
7 |
Winword Drops Script In Startup |
Joe Security |
Joe Security Rule Set (GitHub) |
04a0af687c3b9094f9252dc38ead308fae7facf86cb7e4bf728075c9b17ed9dc |
9 |
0 |
BloodHound Collection Files |
C.J. May |
Sigma Integrated Rule Set (GitHub) |
ea90a9d0a5b0365173a60c78d15843211f9bc89dd93a164a6b464b66d82da85c |
8 |
0 |
Delete Important Scheduled Task |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4b6a191a02d514b34f125957168469a325b2720a4b3592aab7d5528aa5afad64 |
8 |
3 |
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
3fad126ae93b8bb078502d36cb4e234c89c2539784bb1f8e446e615d3f54c186 |
8 |
0 |
Disable Tamper Protection on Windows Defender |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
bf1de3b61466c6018ee71be3f901fb544ddb30709a256ce88ddc19444b5a1ea1 |
8 |
0 |
Execute Scriptlet Via Regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
568224310775bb02fb9ae53d55d8f7c8bc1daf93e73db7670b15f8b6f421f00d |
8 |
0 |
Findstr LSASS |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e3175b1068c342ed7e05a42913dc8cb72ea0167a81bf24fc620261d4ec40f78d |
8 |
1 |
Meterpreter or Cobalt Strike Getsystem Service Start |
Teymur Kheirkhabarov, Ecco, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
22ddfce5e8a79e957f4dbdceb97e27d764b010d395a20fd45cf95a20d02b53e9 |
8 |
0 |
Nslookup PwSh Download Cradle |
Zach Mathis (@yamatosecurity) |
Sigma Integrated Rule Set (GitHub) |
6abd8206d99c8274a0842b1790664265abba050503b2bbafabfd33fd68b91cf0 |
8 |
1 |
PUA- IOX Tunneling Tool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
df765eaa567c547d6a5b1ade1739bfcb54c5c9a76cabb60de34451560bdaf198 |
8 |
0 |
PurpleSharp Indicator |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
8cdb5f2da7eb9e3002ce4bbdd8a373b7dcd25103b4373f9b672e54f74c5316e0 |
8 |
0 |
Remote Thread Created In KeePass.EXE |
Timon Hackenjos |
Sigma Integrated Rule Set (GitHub) |
c7b5dea156bee8e6c2b83c210e6135eea01b42f8c08ec3f18fd04046036bf973 |
8 |
0 |
Sdiagnhost Calling Suspicious Child Process |
Nextron Systems |
Sigma Integrated Rule Set (GitHub) |
4254515e2214920c73b9dc8a7c9f084744461c248ca9e42ffb9e113d325a2615 |
8 |
0 |
Suspicious Process Start Locations |
juju4, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7776601555567f764fc3e22722bef1fdde521b5bdff9fff38f9031e9a3f7ce54 |
8 |
0 |
VsCode Powershell Profile Modification |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
59db8591e12ce774c3ed205213760eb2341a6314257edbd898e991ea42d98e80 |
8 |
8 |
COM Hijacking via TreatAs |
frack113 |
Sigma Integrated Rule Set (GitHub) |
849823df2c9dd0af3b0d2474c1008165e48a5accc0c613e62140502a1eb678d8 |
7 |
2 |
Decode DLL Via Certutil |
Joe Security |
Joe Security Rule Set (GitHub) |
512a021b2a6002cdc06a23350dd7744a78311e5eacbe59b19864a594b50fc33e |
7 |
1 |
Deletion of Volume Shadow Copies via WMI with PowerShell |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
c7ad5ab5203e14414fcbfb23542125d64b7aca04b7afe48d594ecb9b7c117ec3 |
7 |
0 |
HackTool - LocalPotato Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3830810896e4e4a4cb02898a844b8488dd8240175e569b96a950d8ae6bcb9c88 |
7 |
0 |
HackTool - PCHunter Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
8046d8e3f3ef408857439eaf28938b362576b464ba00290a73789cfc2fb05d9d |
7 |
0 |
Hidden Tear Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6416d92c1d6493914510053de27fbb52201520df66cac075111034d37aac4194 |
7 |
7 |
Notepad Making Network Connection |
EagleEye Team |
Sigma Integrated Rule Set (GitHub) |
eebf53f371a18d7f8d6992a935d2fbfe811f3d78552949a0597456693cffd553 |
7 |
0 |
PUA - Sysinternal Tool Execution - Registry |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
35df1aeee1f1078e25bb64a8af513db99a7df8736e4847041fddacedf6b747c9 |
7 |
2 |
Potential Data Exfiltration Activity Via CommandLine Tools |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
10f9b0f9e2b7be69811ff067e358984311772914e6957f50adf963207948fe4e |
7 |
6 |
Potential LSASS Process Dump Via Procdump |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a6a60c80601bd33b44e65b559f9e53c0b9237ab7f54ca97530065cd494662e3b |
7 |
2 |
Potential Recon Activity Using Wevtutil |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
df4c82057d61dd45f1a9a17a781614a8918ad397600ddeee25a1615fb75459e8 |
7 |
4 |
Potential Suspicious Windows Feature Enabled - ProcCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
357a1509ab7f78c2a398c655fccc9dc788108fb9790efbdce90601bcd6d4b4de |
7 |
4 |
PowerShell Get-Process LSASS in ScriptBlock |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
cac21fdc92116671a9e24502beff8b3cc9b77c6d7a23b8f10aefa65821fd9014 |
7 |
0 |
Suspicious Process Patterns NTDS.DIT Exfil |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9c132dee2c953c2d2497b3e00b2cf2309bc1f44409b130f0e34af66f9edf8713 |
7 |
1 |
Suspicious Reg Add BitLocker |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1e5c4651907cea569ba4493fc4d9c634d654da730dcdfa36412180bfb694dba9 |
7 |
4 |
msiexec download and execute |
Joe Security |
Joe Security Rule Set (GitHub) |
80df93b91d026bd6faf3f28497aecc8b5a81a6553fe9336a204b11f4dcef8733 |
7 |
1 |
CobaltStrike Service Installations in Registry |
Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
eaeadfa6378455d35bc7d294a678cf68a5a8c6c2b5417d038a80d96bdf2e76de |
6 |
0 |
Disable Windows Security Center Notifications |
frack113 |
Sigma Integrated Rule Set (GitHub) |
bdccaff58cca68f197ac8f69e4b633c0bb114e3868020f4970296aa9e2866485 |
6 |
0 |
DumpMinitool Execution |
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dd9440afb1ca0cf7997134c36af074fb136e90414cfd1d56903ab43e8c52b253 |
6 |
6 |
Execute Script with spoofed extension |
Joe Security |
Joe Security Rule Set (GitHub) |
206390e3b1deba575d9f4b3f8321fd015223f5177a8f486a56f6d74cd51afab4 |
6 |
1 |
HackTool - Jlaive In-Memory Assembly Execution |
Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) |
Sigma Integrated Rule Set (GitHub) |
ef084ef7df4d6d338332a4adf3272c6d7b031a4529a2d7030ec19c2a0e0fe9fa |
6 |
1 |
HackTool - SharpImpersonation Execution |
Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
94b769b76d6dca121622b8559c3f5ed337893a1ee9dbbe67442d2f649a373b42 |
6 |
0 |
Malicious ShellIntel PowerShell Commandlets |
Max Altgelt, Tobias Michalski |
Sigma Integrated Rule Set (GitHub) |
fd4e3cdd5f9ec511509a9b456f37f38c1e40597b044a8b780d338b09445fcf05 |
6 |
2 |
Potential Exploitation Attempt From Office Application |
Christian Burkard (Nextron Systems), @SBousseaden (idea) |
Sigma Integrated Rule Set (GitHub) |
5b693c1a0e1c87bcc7e8b870deef8f3f2c0aa4be921233e7ff5379f3b1f85dfd |
6 |
0 |
PowerShell Module File Created |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ac9471aa53e0850fa4b5f9ae701b9d20783d5f3762aa950efee3d94d5f862283 |
6 |
3 |
Powershell Store File In Alternate Data Stream |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dabcdcdecebe87ed3085b193d3ed09029f3556672622b42d5759dc816f0b6173 |
6 |
0 |
Powershell download and load assembly |
Joe Security |
Joe Security Rule Set (GitHub) |
32fcfd50f2fcf0aa58bebfbfb09b7e32b7349a17a5c1aaea5b18783f458c4e9d |
6 |
0 |
Privilege Escalation via Named Pipe Impersonation |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
109e6e5533daa3625414a7f58f6a8b34392f3050c582146cfe13876cc85fd9df |
6 |
0 |
PsExec/PAExec Escalation to LOCAL SYSTEM |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
95ab10477326346ad231600df85597b403502c24947739b6a2b5bf75469a3024 |
6 |
2 |
Recon Information for Export with Command Prompt |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e49a78894a2986a5fb30eb4ab25cd648d87db2a35906c29afc8fa6d7664f5e63 |
6 |
0 |
Security Software Discovery by Powershell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f02d9a0f1e4d862f9d1b1d10a2f43de36d855212d5a70b671a8493d53a1b1722 |
6 |
3 |
Spora Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a656aafe4c0cca78f1ad9cc5fe8f97b01ab237e247591a7100edef559c032f30 |
6 |
0 |
Suspicious Export-PfxCertificate |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
b1cd37588678d9d180fae5e3ac98088d0fb94bcf137b0f6b423ba503b9c48334 |
6 |
6 |
Taskkill Symantec Endpoint Protection |
Ilya Krestinichev, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8cab8c8e34c5bf6c9ad0f509a28ebf3139e2d73c3b69078e57a1a63a0d5465f3 |
6 |
2 |
Use of PktMon.exe |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2718243600ba0f2b3eed38a165f571cb8da2eeb23fd54844632d62088a47ad03 |
6 |
6 |
Wlrmdr Lolbin Use as Launcher |
frack113, manasmbellani |
Sigma Integrated Rule Set (GitHub) |
67d3612b65ef2b4db5ee2d86f8437cc82d5e33395a852f7540858df8738250fe |
6 |
1 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a7648695383d3c54094a9a623178342f9965ac5977fdf3c70016e06b5d12fbdb |
5 |
0 |
DNS Query for MEGA.io Upload Domain |
Aaron Greetham (@beardofbinary) - NCC Group |
Sigma Integrated Rule Set (GitHub) |
8c60cfcbc7464b6af5d7b236a49a53fbfde22feb2036abbf947df7322a7343a0 |
5 |
1 |
Detected Windows Software Discovery |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
01357d5e887b9f5de970cbdf4e5303b1faff6ff0de49e5ae4c516f933c8a951b |
5 |
1 |
Equation Group DLL_U Export Function Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a6d1a36dcfe72a6d78f5dd3b78c79bc294296460a9b3adcd993bdd6409046c7f |
5 |
0 |
File In Suspicious Location Encoded To Base64 Via Certutil.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
01705d905ff73214a70aaa5cc788cda6fa3195220319780605c2ba2c7afdacd0 |
5 |
1 |
Hidden Tear Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e2c2e16d85599543e91b4dc9d25bd09e1b1ba61cafa1810a31073a40c91da39e |
5 |
5 |
Hiding Files with Attrib.exe |
Sami Ruohonen |
Sigma Integrated Rule Set (GitHub) |
5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b |
5 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7943e73e12090a40bcc5a95e498a4655704cd76a8f1cc15acfef595e7f85a442 |
5 |
0 |
Lolbin Defaultpack.exe Use As Proxy |
frack113 |
Sigma Integrated Rule Set (GitHub) |
33c04ff56fdad87a0289647b36de2841f4a6fa4866c8656a4005c9f9048ce732 |
5 |
4 |
MSExchange Transport Agent Installation |
Tobias Michalski |
Sigma Integrated Rule Set (GitHub) |
7e012de38821878c4217e8f825643266daebb69300fb51da895c540db3ca6916 |
5 |
3 |
MSHTA Spawning Windows Shell |
Michael Haag |
Sigma Integrated Rule Set (GitHub) |
b9bc90b7745bcb3a2cf9de40d1d419d18ead6650040015c7f4755848e9bfdb05 |
5 |
0 |
MSHTA Suspicious Execution 01 |
Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) |
Sigma Integrated Rule Set (GitHub) |
7a63d1c1bf6ebb277b02d4893066d3732e3d7df562cfdbfee275bbc5c4de0951 |
5 |
0 |
Modification of Explorer Hidden Keys |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a264eb1ecc5d771f6348e8cadd3e5508323440b132da9cd70e3c579354eb50b2 |
5 |
0 |
PUA - Wsudo Suspicious Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
52ed387697917fea6508ac90f395dedf45d52b74d34188d52bf6be42b4ab9697 |
5 |
0 |
Potential Initial Access via DLL Search Order Hijacking |
Tim Rauch (rule), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
e6d0eea0a68b5abc52d30a4b096e43a13457c330945c48f0e430af2cc2e61bfb |
5 |
4 |
Regsvr32 Network Activity |
Dmitriy Lifanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a9fd3d8b393121d910bdb6416807881b8e231fde412098c46594fc45821d23ce |
5 |
2 |
Regsvr32 Network Activity |
Dmitriy Lifanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e7df5abed193d7732536dcfeb0d58fbdfd844ab7c3ddd6186f9afa9ced7a6f61 |
5 |
2 |
Remote Thread Creation Via PowerShell In Rundll32 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b6b512a36600d72d464945b37dc5edcb606a3e429979c7f50e117d9a428ebaeb |
5 |
0 |
Renamed Sysinternals Sdelete Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7d63599d287fda108a45075e54ff5b89384e0fbceef8bccec56b981f485b278c |
5 |
1 |
Replace Desktop Wallpaper by Powershell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0f1aa746beaad206dc77bb8542a498967f1fb26e0677a3fdf90cfd5cf5c22a75 |
5 |
0 |
Suspicious ConfigSecurityPolicy Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5b2e321b4ad7aa35a23d2181a655941dc96ea260435a6e1663158a7b2182a9fe |
5 |
1 |
Suspicious WERMGR Process Patterns |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
993d5c8b52bb82b1de2604204add68928f1fe311e3072e4e053d6dfb969e33e7 |
5 |
0 |
Clear PowerShell History - PowerShell Module |
Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2169a242b9139d712fde6f31781a606f5f50af9d5dd7474d415ae08a0cf96fb7 |
4 |
0 |
Conhost.exe CommandLine Path Traversal |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ae01473f6fb2564e81d4c6e62699b0c4458725e8a9aa178c9ac3841d5af3b1fa |
4 |
0 |
Copy From VolumeShadowCopy Via Cmd.EXE |
Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afa46c9c99b3c76a0450a8c7dface8fa7a53dda1c62644f81fd73ced0a0d096f |
4 |
3 |
Fsutil Behavior Set SymlinkEvaluation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b479dbc5f99a688a740ef0586d12870ce1e3a4a5449727bcb3c11bb1510b6e8e |
4 |
4 |
HackTool - Impersonate Execution |
Sai Prashanth Pulisetti @pulisettis |
Sigma Integrated Rule Set (GitHub) |
ebaee3629e5eae35e0043057b3b0fccc4f2831eaadec57c3280dc181b3683c7d |
4 |
0 |
HackTool - SysmonEOP Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6fbc0321364b37bef63538725c9c7e8e9c0702db310e3060a5da9d201d72a796 |
4 |
0 |
MavInject Process Injection |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
f7232cef6ad5bca28b27340de367589ba9ef580c1abb6dd69d8f2005a6473a4d |
4 |
0 |
PUA - CsExec Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b2300d5d918bfa55070c1a6c9eef5422d85306572df402f76d8549d97778851a |
4 |
0 |
Potential Compromised 3CXDesktopApp Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ae1d35c3cca80cd7625db9f23535aeb938e4401d7c63e6a938329fb4c3ccf55b |
4 |
4 |
Potential PsExec Remote Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
534500853b096a12173d832563555b71c1116d432b7dabba079946461ef7e617 |
4 |
0 |
PowerShell Write-EventLog Usage |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fa5822a3aeab0960eda08e8d46a8126db47dc54aa6a0e0ae7a7163dc7fe9746e |
4 |
3 |
Ranumbot Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
9adcf2b748c0913ce46ec2734223045df982e2a86948b8740a48edd412720e70 |
4 |
0 |
Recon Information for Export with PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
713f92f086b68096c3f56ca930b031275ba60fcd9b0986dca0e69d63a349fe11 |
4 |
4 |
Renamed MegaSync |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
5ed404c9cabd248ba80d6d5852fc81ff9c668726a632eb06be9595bd5b80d869 |
4 |
0 |
Renamed PAExec |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
58a87adff5b80f1f00537e13c96a7a3ca3c24b661fb3d6f998ed9a120ad72ccf |
4 |
0 |
Sensitive Registry Access via Volume Shadow Copy |
Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2904a54d46badb30ae1eda5e935bcbcc71f8a08303a31fb68bf9e1fb8f0f0858 |
4 |
3 |
Suspicious Certreq Command to Download |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
90480b0d96dd273a177b536ad0b17f114b0426bdb4c6e04d4692da954658bac1 |
4 |
1 |
Suspicious Plink Remote Forwarding |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
fd6a0f7521cf3dabf0d2ac45a1aed9f2e2029daa9d1fba9f71905bb34aa427ca |
4 |
0 |
Suspicious Registry Modification From ADS Via Regini.EXE |
Eli Salem, Sander Wiebing, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7d40150efe45672b8a7928c4d3ccb55e1238e89ead72dc4a08390a907fc57c17 |
4 |
1 |
Suspicious Rundll32 Activity |
juju4, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0d7b38274ada42870a9b5fe59433cc701b21c18ef543b8c653d2e5dae0f93c0e |
4 |
0 |
Suspicious Unattend.xml File Access |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ab4f3a9eb0931d1b25be0e6ec70048514d987acda1b98b078b334de53d084360 |
4 |
1 |
Sysmon Driver Unload |
Kirill Kiryanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7729210ddf59514a2d5ae300b6b3c3cd9b836719c40091d770a3b08bef6d735d |
4 |
0 |
TeamViewer Remote Session |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
a8298e7cd8ae07e912b976b51f53ec407301b782a18845c32270523946510c52 |
4 |
1 |
UAC Bypass via Windows Firewall Snap-In Hijack |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
6394e0e9f8661be1f0a1006d948fbd4f1430543e592ee7fb29a34a6c6fded839 |
4 |
0 |
WMI Reconnaissance List Remote Services |
frack113 |
Sigma Integrated Rule Set (GitHub) |
122d74917c1ba5d7e854a6a25e2ce8bd997bfe1398c7b5ddaaecb88edf02edd8 |
4 |
1 |
WScript or CScript Dropper |
Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
2020feadc9b3cf47558c219948361d9d3eb5347af91135f21bf711f6032bc817 |
4 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
211f7156257e48d853aa431ddfc3fc7b86ca8dabc95f61553575d821ab58fd76 |
3 |
0 |
Atbroker Registry Change |
Mateusz Wydra, oscd.community |
Sigma Integrated Rule Set (GitHub) |
15ae81a84c9a92e5ffb3bc1c4cecc28883ece49fc1ceef55d745ac094ece0622 |
3 |
0 |
Automated Collection Bookmarks Using Get-ChildItem PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9fa49f4a1e9253459c99846a03ce69d8e029b42640efba5e158e2455b6c0f5fc |
3 |
0 |
AzureHound PowerShell Commands |
Austin Songer (@austinsonger) |
Sigma Integrated Rule Set (GitHub) |
d745e174b185bed59eeb7c26c061f86404d4a74607b523973b17ee01d22e665f |
3 |
0 |
Blue Mockingbird - Registry |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
047c4b3f6b03d9a7cd611e4baaeffab7d6854460859ecf302466ae225ddaf2c7 |
3 |
1 |
Communication To Ngrok.Io |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0aaab6e75614dc39c58e45ef5b3a7f0a1e455ace3bb9041e837370214a92ef58 |
3 |
0 |
Creation Of Non-Existent System DLL |
Nasreddine Bencherchali (Nextron Systems), fornotes |
Sigma Integrated Rule Set (GitHub) |
3177080de9eacb01db500eb08111e0cbe691a57ed11d8bbeffacd6e8ef6e9b2f |
3 |
0 |
Drops a DLL with WLL extension to the startup |
Joe Security |
Joe Security Rule Set (GitHub) |
0a0b097696bd0b36b7d1443e446cbff6c2146d7a93cacaf2838ed0fe366b61d9 |
3 |
0 |
Emotet RunDLL32 Process Creation |
FPT.EagleEye |
Sigma Integrated Rule Set (GitHub) |
4e5ef297fadbdf1fbd3c57b71841275af9687495d2f45e59fcbabdba98315434 |
3 |
0 |
Execute MSDT.EXE Using Diagcab File |
GossiTheDog (rule), frack113 (sigma version) |
Sigma Integrated Rule Set (GitHub) |
c4a1cabbd4c25e14be0bd98c5770d2e94ad2885f8f505bddcd03978cf4ba0905 |
3 |
1 |
Execution via WorkFolders.exe |
Maxime Thiebaut (@0xThiebaut) |
Sigma Integrated Rule Set (GitHub) |
50d292f837567defe72f24a4b91ee437943cd8f35d5aedcf15979d3d253d38e9 |
3 |
2 |
File or Folder Permissions Modifications |
Jakob Weinzettl, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d1b3909fc498977f2008254e9e38903c16568e7a8aaaeb2eb0d1d4f155373408 |
3 |
0 |
HackTool - Quarks PwDump Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
83fcbb048fc301513c7de88d6b54f969a6cbb28bee2de22baf8a56ee7c454e81 |
3 |
0 |
HackTool - Sliver C2 Implant Activity Pattern |
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
37af4676baf9c863ccb2ca099ad1368020d8f1969b80a3e8a21065525136ff56 |
3 |
0 |
Hidden Powershell in Link File Pattern |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9e321ddc9cddac65fd520665184681e53aedaf0652832edb168aa27ac04e59ca |
3 |
0 |
InfDefaultInstall.exe .inf Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f6602c9cc48a37aa44fbfc4ffe4560e8f37e1934e365a235af4ae61c9571ded1 |
3 |
1 |
NirCmd Tool Execution As LOCAL SYSTEM |
Florian Roth, Nasreddine Bencherchali @nas_bench |
Sigma Integrated Rule Set (GitHub) |
40d85a90edfb89bec5045c66b822890370973192e8b0e6b11d87926d3c70c18a |
3 |
2 |
Office Macro File Download |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aaba58981e0428da3913c964606d7609d2f2b2553131eb76cbc3b1fbc611008a |
3 |
3 |
PUA - Crassus Execution |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
43a1d4f767ed0c719d573fd6ddfd62abcd7f8ebc365f97d7c2f83f9a7eeac91b |
3 |
0 |
Potential Persistence Via AutodialDLL |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
164cdc408856848b0eb1ce6165a865e2b8dbd9fcf0b5aa393fd7f1af640ff05e |
3 |
1 |
Potential Signing Bypass Via Windows Developer Features - Registry |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bc27e2c02d1cb4d2eba75aa1668359b5caaafc79eb2531bdbe54410d63d727f3 |
3 |
0 |
RDP Login from Localhost |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
3895d9722610797e2eb09dca91e1a804bb4eec6cc1ca5b81a937f13e4adc81f6 |
3 |
0 |
ShimCache Flush |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7755af8c0fe9118bb510e5bd0317a174fc59e613270dce762bbc67cac8f68d15 |
3 |
2 |
Suspicious Cabinet File Execution Via Msdt.EXE |
Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 |
Sigma Integrated Rule Set (GitHub) |
4c0f8984146566700f953eb45fc4781e3347270de34abc6768ebafe2403c457b |
3 |
1 |
Suspicious Minimized MSEdge Start |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
d67139d73a6d7369e526a363923c3f504c081ba52a8f8556080f518c4302090f |
3 |
0 |
Suspicious Splwow64 Without Params |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
c4e0758476210a09a3e470db05d2cbec0aebd511e48d351685c75970566f894f |
3 |
2 |
Suspicious WindowsTerminal Child Processes |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
38cc71193a6a791f4d2ddb67fdf3a6baafab25ec9f4c861b11fbdca1c94a3f08 |
3 |
0 |
Suspicious desktop.ini Action |
Maxime Thiebaut (@0xThiebaut) |
Sigma Integrated Rule Set (GitHub) |
cdd5a8ff564f3632d9613d1f4925baca8be40a01fe14c7ba3e30f51bf1ff3829 |
3 |
0 |
Usage of Sysinternals Tools |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
1e33259c56ec61269739a1b6f2e7e13760703a505f60b194702ff716a6fe0fbc |
3 |
0 |
VMToolsd Suspicious Child Process |
behops, Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
bd7b9679a8b4de81c85050399fe9679a23a1ea3bb48ef31509d208152db750f4 |
3 |
0 |
WerFault LSASS Process Memory Dump |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
698bc272479b99ab8911efeb4b32e6de83a3fa47b310e5829ce6e8ff5702b1d2 |
3 |
0 |
Windows Defender Threat Detection Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
fd0a272556e2d962e1ecfb8d8fa8ab6f1d728c870db382b0b56dc04e7bf20317 |
3 |
0 |
Windows Shell Spawning Suspicious Program |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
80bbf1ed6106205ab2926430c9634286f976b2fee4357dbacddec45b979a4422 |
3 |
0 |
Wmic Uninstall Security Product |
Florian Roth, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
deb3cdf84cc34aa311e6bb923cb0b259584940b4e6d724a32706971b5147607f |
3 |
0 |
APT 37 |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a5976bfe7c4ff52e5b70711a7444670a4f2d462e99bd30d3c6950495e32018ac |
2 |
0 |
Add Windows Capability Via PowerShell Cmdlet |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
684b246bdb157e11d1985c522a8f891d7dfea0ec8d30864c9e2fe04cc9564973 |
2 |
1 |
AnteFrigus Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8b18641dc7819baf3c131b24088048e3cf6ac0f5946f136a2c0b0b36a3754141 |
2 |
0 |
Arbitrary File Download Via MSPUB.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a70e1836669aefe4c5a9b48179c7a3c4857505b87dbf8a3bb424d268fa80d857 |
2 |
0 |
BlackByte Ransomware Patterns |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
84b39fa5fbd9d5726548c90280f53428562a3fef57fff40cbb48ae96cbd05757 |
2 |
0 |
Creation of a Diagcab |
frack113 |
Sigma Integrated Rule Set (GitHub) |
76466a8380202538b40850a954fbd8b6bab964c61bff3742c35d8a8e0bc582fe |
2 |
0 |
Evrial Stealer (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
9d5974817e9c9eeb05c8b60f23de31930c84cb3eb8d247767b7fe7bdbec4ad23 |
2 |
0 |
Excel Proxy Executing Regsvr32 With Payload |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
368433c7157e0778f035c6c8b5a6cd0f273d860606bfa36f632144c7050b4c7d |
2 |
0 |
Excel Proxy Executing Regsvr32 With Payload |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
769fe648255c0a237ee125f74d2685b54cf7799f6b5cffeae1f2fee47164091c |
2 |
0 |
Executables Started in Suspicious Folder |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
934747e347848f3bf5d2222f0c29c4c6e42831b94a6e0ce77ff40017e5f11fd2 |
2 |
0 |
Execution via stordiag.exe |
Austin Songer (@austinsonger) |
Sigma Integrated Rule Set (GitHub) |
c012b058c607c697ab3013783a9a418dd2b233fa1f22ea4f8160238a19c65577 |
2 |
2 |
External Remote RDP Logon from Public IP |
Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) |
Sigma Integrated Rule Set (GitHub) |
49aec14518e31487cacf1b97c8d227e4485f822a6a30d04b3fac2c7c145dbc74 |
2 |
0 |
HackTool - SharpLDAPmonitor Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e45b16fd030f52e69c512e3570de6d000efb8a0e03c4073637e04aa773354410 |
2 |
0 |
HackTool - Stracciatella Execution |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
91b5e23483ca6c8edbfa31c7fb6978213e819e3f968f35d109a7fb75c36c3deb |
2 |
0 |
HackTool - TruffleSnout Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2f2b803c7e154a72c734f5b9d5c3d332b3174757ed624c55dad5a52ad36934f8 |
2 |
0 |
HiveRAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bfa9006c02a3c62043c1bd4c10f77dd29fc786bc22855e00928082034c4307cc |
2 |
0 |
Invoke-Obfuscation Via Use Clip - Powershell |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1c3ea7c0333da16496964e50a5e57012a3b70695f952212351e08d08530da6d0 |
2 |
0 |
JSC Convert Javascript To Executable |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2ff165b71352ba7322e48c1d765629db5ccf8ba92e65a3ab9a4d375da0846a6b |
2 |
0 |
Mounted Windows Admin Shares with net.exe |
oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga |
Sigma Integrated Rule Set (GitHub) |
816c82737c8262b4f167d02b04198105def46bd23ea282a655786d387e88118c |
2 |
0 |
New Hidden Tear ransomware variant |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
92dd4e3ca17ea4f0bdfb71304a8fcbbd234749a15c0c26579fac17253c4b2463 |
2 |
0 |
Potential CVE-2021-26857 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
6a562c9f35089d87a91ec35ae35044bfb9902969d69d04e8f50b1e9f2b14b4d0 |
2 |
2 |
Potential CobaltStrike Process Patterns |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f6b39e4a331f85ca7590bf725ff05b84567ac82eecf2ef761c60e4baed042482 |
2 |
0 |
Potential Credential Dumping Attempt Via PowerShell Remote Thread |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
ed3831d20478d9b3e7a4bada4351902574fc0eb36fbfd51032119c477b94e4fc |
2 |
0 |
Potential Defense Evasion Via Right-to-Left Override |
Micah Babinski, @micahbabinski |
Sigma Integrated Rule Set (GitHub) |
8c9d950be3588ee779f57d3c33f03abbaa5ab145cac1a897bfa816cd0745a1c9 |
2 |
0 |
Potential Dtrack RAT Activity |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fbcabbd5b0fb4855de3b0bcf6bd58239facf0733ad46f2269ef540d344acb5bb |
2 |
0 |
Potential Persistence Via MyComputer Registry Keys |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f776409e7a0ad2cd5dbb2241bddedc4d94cffb55043ccb0254fd7266f7f10720 |
2 |
0 |
Potential PowerShell Execution Policy Tampering |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
49b185e25e68c30cebd01a44e72bda0c359c132bb364ef487a935de293813a78 |
2 |
0 |
Powershell Exchange Snapin (via cmdline) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
1920836da8784b3f635f88d7c9216b6619a5f5613a5d53fefb342c817897a736 |
2 |
0 |
Powershell WMI Persistence |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d31a6afb995dab0473ccaefae327155cd4ba87afbabf6a872553475c50bb7182 |
2 |
1 |
PsiXBot Malware behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
63753d667c596fd59cca6de277c7a4f8062dd47fb2ae19a1efdda0cbb8d7692b |
2 |
0 |
Regedit as Trusted Installer |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
40b85d8543b5dc00f22211f0dd2f05012b435d38fd8e170370986c189a9b39f2 |
2 |
0 |
Removal Of Amsi Provider Reg Key |
frack113 |
Sigma Integrated Rule Set (GitHub) |
29e103486311c7c5f253e500ab6386c2aba984cb782efe903a88f082d3f70254 |
2 |
0 |
Renamed Binary |
Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
686a5b6d5e098e507256a7207e9e4a237bb378c824f67f13ee0402525833b257 |
2 |
0 |
Response File Execution Via Odbcconf.EXE |
Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
18ab8cf17024175e4f1d5ec237de24dcfb16890beb4847d0e90e79e0c59cfc85 |
2 |
1 |
Startup Folder File Write |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
56b8c79acb8e444c2b00be5c9d3cb8e33e863ccb3506d635f907a49cd053c84f |
2 |
0 |
Suspicious Copy From or To System32 |
Florian Roth, Markus Neis |
Sigma Integrated Rule Set (GitHub) |
de683a6054ff03b9c12e58c842648f759cfcf797f91dc01078d285e8f3f8e856 |
2 |
0 |
Suspicious Extrac32 Alternate Data Stream Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
908072bc38c223e94e034ac7acafdfda27359b429525af331f388a7ef0e2b66c |
2 |
2 |
Suspicious File Encoded To Base64 Via Certutil.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aa7741239d7d626a6e7b92ca2405578c580c500eef1489d3115aef2b00b667d1 |
2 |
1 |
Suspicious MsiExec Directory |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
709fa572c6d4a06b81742c9cefd264b1debafc1f9b2aedc9798d5cb749d52458 |
2 |
0 |
Suspicious Mstsc.EXE Execution With Local RDP File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
205a65cd894184e7d2a59da78310f8cb3262995f30c3015a05293c7754e5916c |
2 |
0 |
Suspicious PowerShell Mailbox SMTP Forward Rule |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a9b0d95e9a34c915ab22d89c790c054977cd6411f4fdebffa6e36f09e5376c9c |
2 |
2 |
Suspicious Processes Spawned by WinRM |
Andreas Hunkeler (@Karneades), Markus Neis |
Sigma Integrated Rule Set (GitHub) |
dff6f482b1c3296a1eba449d732fe05e7b9a61f56c3849298ee9d06cec81c941 |
2 |
0 |
Suspicious Program Location Process Starts |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
c593fd1eac248d2f05a155e6c8ef2682b9022a12bc03104ff8e9e7c40f585268 |
2 |
0 |
Suspicious Program Location with Network Connections |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
01b1cc2515aec2562e5e8cd3c88a60677a1acd2d680b289cf67fa493abe433d2 |
2 |
0 |
Suspicious Regsvr32 Execution From Remote Share |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0415bc3e4953b49601e59c9e77f268c8b8163cb32d777dc5a37b169f9fcbd8ca |
2 |
1 |
Suspicious Set Value of MSDT in Registry (CVE-2022-30190) |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
08f4372e76fc0605c4e338fe71c656a918209c7ab03da84c96c5f8d99d4bc241 |
2 |
0 |
Suspicious Use of Procdump |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
bf45bfecf2446b7f2b7904bc35a7006ea9bfae3e8ba4d6ab35dfcb00095b0b9d |
2 |
0 |
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
413ab718402521225cd65e7866d07b849a38758c52a3bf913da2fcc4bce26ab3 |
2 |
2 |
UAC Bypass Using ChangePK and SLUI |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
a334f66679d3e373f49f08113614e79457c624e8ef315085de12c285bc5d7d4e |
2 |
1 |
UAC Bypass via Sdclt |
Omer Yampel, Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9e30ed5d0167ae542ae090b30e0049496a63c5c9c63bb37e80d62532640cfc6b |
2 |
0 |
UMWorkerProcess Creating Unusual Child Process CVE-2021-26857 (via cmdline) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
777e78408dd5e81cb40b0dd4b18dc729cd882538beac8337067e6a2ceb940493 |
2 |
2 |
Unusual File Download From File Sharing Websites |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f57e9a5165fe649d867e207c503dd53a05dbd5175c68be9a369174832afc8614 |
2 |
2 |
Unusual File Download from Direct IP Address |
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a2b6862e0b28e1527a68e771f4a09cc77cc168e10e6c8d978df736c414320a01 |
2 |
2 |
Use of VisualUiaVerifyNative.exe |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
c2fb9169c48cfbf7abc02540d8fc5c9d887473aed872aed30dbd4f8a9ead5a5b |
2 |
1 |
WMImplant Hack Tool |
NVISO |
Sigma Integrated Rule Set (GitHub) |
6b93b7bce89874009dd0ecb10a52f610736bcb6d33fe425d9295732660f6b7ab |
2 |
0 |
WSF/JSE/JS/VBA/VBE File Execution |
Michael Haag |
Sigma Integrated Rule Set (GitHub) |
8b884f70bb47a8e06faf8f548fcfef77fe3802d22c310c4cdfa01f35cb030bac |
2 |
0 |
Windows Credential Manager Access via VaultCmd |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3444e8af7fe049353761c697d9c300841002cb9979f0754558abb2baaa8c915f |
2 |
0 |
Windows Kernel Debugger Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bdfabe357d29db481ce92a1bf99197e1220f79336d0a6a891f56d430f607e756 |
2 |
1 |
Windows PowerShell Web Request |
James Pemberton / @4A616D6573 |
Sigma Integrated Rule Set (GitHub) |
2637f98feb69311f94822998eb3c8b8d217e6c5767e071536ca54f9da830e236 |
2 |
0 |
Zip A Folder With PowerShell For Staging In Temp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f9da722f2b9be68744c84591d71fc78f53410669a0b7da802cb3abdb56d3fd72 |
2 |
2 |
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module |
frack113 |
Sigma Integrated Rule Set (GitHub) |
deeb1a213004e4f328c59f035fe5bdbfe766ac3d8a0ea7f9a916c12bc145491f |
2 |
2 |
APT 37 |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c53c2f741a37b554e1a5a16737f3c6f27a5818e8474ade69f599e8d18b6df51a |
1 |
0 |
Add Port Monitor Persistence in Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8dbe594a0f4eb93aed5bfffd0545b03cb0d8c91d229a169700c0d5a7b140795b |
1 |
1 |
Add Windows Capability Via PowerShell Script |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f0193a082ffec8bb49a0621541982fe0c6a2ba5f5b536f62789f83021ee4270a |
1 |
1 |
Always Install Elevated MSI Spawned Cmd And Powershell |
Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
742d7b1dbef016ab3810ec50354e231948fa035c8cacfec6b18f3a8fba03c2dc |
1 |
0 |
CACTUSTORCH Remote Thread Creation |
@SBousseaden (detection), Thomas Patzke (rule) |
Sigma Integrated Rule Set (GitHub) |
7b0f6b7c0939954a4e8dd01dcda83d20044a57808d265a6697c3580fde333062 |
1 |
0 |
CL_LoadAssembly.ps1 Proxy Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
aa273ed357d9327c9c8131f9175a347aa2c8c8fa545e8642b56404eb76668070 |
1 |
1 |
Cerber Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
73c0a64c5562e339d22b6dd8487f58f08f817a078ee2d99fa508f2bcec9487d2 |
1 |
0 |
Check privilege of CMD via whoami |
Joe Security |
Joe Security Rule Set (GitHub) |
07a05a43e0384cce9c41d6cb6ed256ebce6aea8c6455db044d755ece6063babe |
1 |
0 |
CobaltStrike Process Injection |
Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a95251178853987552aca691c7ec1d2e31c91213e0e11f80fd3e7789a1234894 |
1 |
0 |
Command Line Execution with Suspicious URL and AppData Strings |
Florian Roth, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0585dd5b67e1bced48ad1dc8f9e0b66fd4e44c6e7c14dd5b385950c97e15b768 |
1 |
0 |
Create Volume Shadow Copy with Powershell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ef1d2531cf3919c8ed1ffd678acc8325c41225368f4add8ce5d727f9d4f742ba |
1 |
1 |
Credwiz util dropped by mshta for dll sideloading |
Joe Security |
Joe Security Rule Set (GitHub) |
47b76425766ceb0d5f71f5b737ae4660dc4fcaa91295131395a542596953ef67 |
1 |
0 |
DarkRAT Botnet |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
5157203e484dbfa217f40f7089460a4c6713e54ef44ca66a31ec7d5c820f0d26 |
1 |
0 |
DarkSide Ransomware Pattern |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
5c4ba608ec7db931a6491db14857b098a88caf78b2c28087f16fa4aeeb05c8d0 |
1 |
0 |
DirectorySearcher Powershell Exploitation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
59fea38f0030f37a8b1bcefb7450d7a94ba474f5e72db8b8f7a4850d643ad2e3 |
1 |
0 |
Disable Powershell Command History |
Ali Alwashali |
Sigma Integrated Rule Set (GitHub) |
9bad9ab33b286bb06b80490c60a3b9a1136560cf838d47ba48b3384b762267e6 |
1 |
0 |
Download a File with IMEWDBLD.exe |
frack113 |
Sigma Integrated Rule Set (GitHub) |
785fda7f769e06444f3d969a9e64bac3cb1625df98e533dffbb90df45425e748 |
1 |
0 |
Dumpert Process Dumper |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
4f4552b72d1fdf1daa9803088eabda70a1a8259d5eae424fcbf3b7edae985b63 |
1 |
0 |
Exchange Exploitation Activity |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
a53120d1ec17fbf608c6da8cb88f544b76206e830dd4ec17155f718bf5851d0f |
1 |
0 |
Exfiltration and Tunneling Tools Execution |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6ba70df29bf2469a0e7931226da06a144c5e9044543a14e1fae2bcd6c17f9374 |
1 |
1 |
GatherNetworkInfo.vbs Script Usage |
blueteamer8699 |
Sigma Integrated Rule Set (GitHub) |
93d3c8484d953299cdaafb696acdb7e33fd8a569cd8682a0d501a122f2b8290b |
1 |
0 |
HackTool - SharpEvtMute Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7f4ab47a48c30eefe0bd92c3fe92c7f2481803dfb5833689959c5f32bff77dc2 |
1 |
0 |
Hide User Account Via Special Accounts Reg Key |
Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
c5763f84925887a9d36054776ddf6d48e47d552ec2e7fed586026049488c127c |
1 |
1 |
Highly Relevant Renamed Binary |
Matthew Green - @mgreen27, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
6a0e84509806d4477d42410fb267c817a01015e3dcc33e48330f8db0ba9709da |
1 |
0 |
HybridConnectionManager Service Installation - Registry |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
6ba69204045297b2467cffd2d3908dc1588e213dfeaf62bb11c1778c9d93dcf0 |
1 |
1 |
Internet Explorer DisableFirstRunCustomize Enabled |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b5977f01764dc3b0e2e3b7592943fc4bb6b4e55d5fcec607c905ea26d222e9c6 |
1 |
0 |
Invoke-Obfuscation STDIN+ Launcher - Powershell |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
8bc4688c4e1827de8ac2769dd693f5ee1d6a3dd731e0fa459a1d47788bc3ab77 |
1 |
0 |
LSA PPL Protection Disabled Via Reg.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
80855f8a9447aabc3c921b18396835e82ab35d2beb39b56f2d34d156ca2ac9ae |
1 |
0 |
Local Accounts Discovery |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c |
1 |
0 |
LockerGoga Ransomware Activity |
Vasiliy Burov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0c0ba5aebd0db3facb25385b2dbdc2b2a34be391da1993bc8a02c689608fba16 |
1 |
0 |
MSBuild execute suspicous task |
Joe Security |
Joe Security Rule Set (GitHub) |
850ce3b49e2fc441426c3b9ec59e195d417194b461fe480e76d2482bcd20112d |
1 |
0 |
Malicious PE Execution by Microsoft Visual Studio Debugger |
Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community |
Sigma Integrated Rule Set (GitHub) |
833d1e3036176fa960339790e9389d39187ba0c444aa4b1f1d3adc81c860b9fd |
1 |
0 |
Maze Ransomware |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
d807dbfa78ad565695bdfaa5793858aa25a153091a49b554975f48182344c78f |
1 |
0 |
Microsoft Office Product Spawning Windows Shell |
Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team |
Sigma Integrated Rule Set (GitHub) |
6a6edfdea6536f74ea66bf73682ed52f4b86435793ed76ff38e3ab0523f029f5 |
1 |
0 |
Moriya Rootkit |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
4a9ddb920ad6eab5d240fd46b4a22a2839ea161414fab29fdcd567a468de9295 |
1 |
0 |
Mshta JavaScript Execution |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
f6f3741fe71241687646386731e58cbb9eb5dd4b8db836bb8840c3d02e5462b8 |
1 |
0 |
NPPSpy Hacktool Usage |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
fe93afc27b2b53b9e4deb1b29d0172ddf97ab492beba618fda8529d8eb602bed |
1 |
0 |
Nansh0u Campaign (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
904193bc621aaa8bd679e31840889e7e0ebdd3012ad80cd285a787efa9a21a1e |
1 |
0 |
Node Process Executions |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9202f610baa020320fb0754246900aef3eb9d7cab948cd7896901c509b02cb91 |
1 |
1 |
PUA - Potential PE Metadata Tamper Using Rcedit |
Micah Babinski |
Sigma Integrated Rule Set (GitHub) |
8eb59cf451fc1b4a57d9996082ad83751d5fe59d20e9b3562534ccf7fa0a07ab |
1 |
0 |
Perl Inline Command Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d7702078dd10096eb5abed05e061a8a1faec0e7904a86b6b39f6faaaa294190c |
1 |
1 |
Permission Misconfiguration Reconnaissance Via Findstr.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c26472b8ef978b2519ce5cb30b5d30baa08b0717a6302fcbfc81a2c8ebde884b |
1 |
1 |
Phishing Pattern ISO in Archive |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2df698bbd801db84c12100296dbba0869a2e6936088abee3147315e5617f7fbf |
1 |
0 |
Php Inline Command Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
beb929216e4b57c3b1275c3d5d5bf04fed77445512365bc0d3af736280b5b382 |
1 |
0 |
Possible InstallerFileTakeOver LPE CVE-2021-41379 |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
1649fcc98b56dc9cfc742a4a6df24ac3e91123ac466268300afc87e3f91191e2 |
1 |
0 |
Potential Attachment Manager Settings Attachments Tamper |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ab75582abe82ab90071a874b2fc815cf2027c5505ce7f0b149210f67dd27dfbd |
1 |
0 |
Potential COM Objects Download Cradles Usage - PS Script |
frack113 |
Sigma Integrated Rule Set (GitHub) |
139dfd44d42316af195b126ba90bfe2e69202770b83f23cedc967bd558604186 |
1 |
0 |
Potential Credential Dumping Attempt Using New NetworkProvider - CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4777339ddbbc4185feac4c036855d36de485c1178bdd82acf02e02b9b3792f27 |
1 |
0 |
Potential Persistence Via Security Descriptors - ScriptBlock |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1f7de9310570e85851b78387f389d4afad2aec4f21a751de564e4d9dbe8ef806 |
1 |
0 |
Potential Registry Persistence Attempt Via DbgManagedDebugger |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0764cda98bb00fbde3294e28d5bb3b95797a31d8931448c764caa0743451358f |
1 |
1 |
Potential SAM Database Dump |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
80a403e95306ff656dab00a85d9565922c30f10b9cceccba105e76eedb357bc1 |
1 |
0 |
PowerShell Download from URL |
Florian Roth, oscd.community, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
24c9049c81b149aa4537cce166e36f3697878dcdad3fab8b662889d154056d7c |
1 |
0 |
PowerShell DownloadFile |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
f0282b9dc90a1761ed8cfb90b52bc5f53c2c8ccbff1ca29790e8d17c7eae56dd |
1 |
0 |
PowerShell Logging Disabled Via Registry Key Tampering |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e08c8016940ec5fbedc1d8b08fff3fb1c6bdf197e8fea3c4fbceaa55058f07a3 |
1 |
0 |
PowerShell Scripts Run by a Services |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
014598477a00db3dbeee84e541504e310712bfb7380fe0f6c18921580f829d4e |
1 |
0 |
Powershell delayed execution via ping command |
Joe Security |
Joe Security Rule Set (GitHub) |
9a4875b9a93f7ed6dd4f6259f58f0ff372f1351c267c6d112364a3064aeae82f |
1 |
0 |
Powershell run code from registry |
Joe Security |
Joe Security Rule Set (GitHub) |
09cf140e4816d8c5bcb37b98e996e455d8127cbccdf4287901654f824cf63f13 |
1 |
0 |
Query Registry |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
218d6661cbefbe4342fb5e6f0aa14df5602a3a39691bb19b246644804e6d341f |
1 |
0 |
RDP Registry Modification |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
7aaf54115e7c0d8450b858520101c04264b58e033da253ad20a672a00b52b5ae |
1 |
0 |
RDP Sensitive Settings Changed |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
c1a07dc6104bfa9dcd638f1c9f04504dafbbb28fdf3a4f36dc6af48802194787 |
1 |
0 |
Remote Access Tool - AnyDesk Piped Password Via CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6e0d326cf1248be3c35ad4a980fd0b6fd00f190e2b6bac28494062e11f1d9db1 |
1 |
0 |
Rename system process and copy to suspicious location |
Joe Security |
Joe Security Rule Set (GitHub) |
ae5e05ff7a2f5d6e654578b73a1ddc50baeec856b0ab003ad6852c80beb8b068 |
1 |
0 |
Renamed PowerShell |
Florian Roth, frack113 |
Sigma Integrated Rule Set (GitHub) |
52606fbb97633e0a2c2581ff33bcb2bb212da3c00b02cbf971e5a0aa2f7b4cab |
1 |
0 |
Root Certificate Installed From Susp Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
99ad87050a603d266b14f9d38b78913daa61c2b7dc6b1441427d022050ccc8b7 |
1 |
0 |
Rundll32 JS RunHTMLApplication Pattern |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
343b001a9d0d8504e1dad1dec564de589c763ce6c3c86ccf9ad3ec5835a3e879 |
1 |
0 |
Sapphire Ransomware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
af5ee1ff302412603f190ad74d459219970f99e1b5a92d952a2e953f522b38c3 |
1 |
0 |
Scarab Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c3b33a6ba821d844c3bfc5a217489aca877dc9bc6c76c84e4d8cabd6a320bd7b |
1 |
0 |
Sideloading Link.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d12dc80661a49ab922f3ed3b488e8a49f6edf53b777c918dc2f0b905b20d9bbb |
1 |
1 |
Suspicious Cmdl32 Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cf2baf60d63943d7200da28391b4e63298b2d186faf45b499b001ca84dc882ea |
1 |
1 |
Suspicious Compression Tool Parameters |
Florian Roth, Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
9ffd116f512698b4f9b310ee5526625ddf70dc16d7e3a87e744f709c8b537b2e |
1 |
0 |
Suspicious CustomShellHost Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
540a06a16bc10e1e472979a3ae3af251fd81638d7e2df1eca74f74a3c9bcdfae |
1 |
0 |
Suspicious File Execution From Internet Hosted WebDav Share |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9d307b7c423134f5ddcbc65c0c787b0ca177d16056abb95987cbefda5e9da1ed |
1 |
0 |
Suspicious PowerShell Invocation Based on Parent Process |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
c089503ba0204ebcc3605f01ef3ba76dfff60846f2bad81faf9eae455e81921b |
1 |
0 |
Suspicious Rundll32 Activity Invoking Sys File |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
f4b9a5aba26ac1d465f55970b8defeab4a4704def7889e6c296b0f33cd1fad27 |
1 |
0 |
Suspicious Rundll32 Invoking Inline VBScript |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
40e3e97976c84f512b11ec485b8dc54ce731851327fe05beff6b567fdfe2b91b |
1 |
0 |
Suspicious SYSTEM User Process Creation |
Florian Roth (rule), David ANDRE (additional keywords) |
Sigma Integrated Rule Set (GitHub) |
d0b906c9286d892a8434845afa7551135e37841bdace5aa7fdf1c6bd9a823c73 |
1 |
0 |
Suspicious Spool Service Child Process |
Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) |
Sigma Integrated Rule Set (GitHub) |
2445eef8bbfc5d52245783f3d3a39b67d2a9e863e057b9710358f473c4a0d9ed |
1 |
0 |
Suspicious ZipExec Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4299b17cc3fb6f5ed2bc90d612e461452723118f5b71a85231879dcf7c197ead |
1 |
0 |
Sysinternals PsSuspend Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a5499c523df320d4d17393e8439d7a17bdbe13b398428715aa85f865a9ac040e |
1 |
0 |
Tap Driver Installation |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7bd4ba31d00dc2c285a409cd7939611accc6c2934992f8e9cd0ce8c32ad0c40c |
1 |
1 |
Tap Installer Execution |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
47fed78a8bb63a7dee467bd25acd7bbfb704d602012f1a2228eb56c9f6760b7a |
1 |
1 |
Tycoon Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a1c44f103e75c8295cdbb587af4bac07f2b77445d54c17a424e7dce924a981ce |
1 |
0 |
Uncommon Child Process Spawned By Odbcconf.EXE |
Harjot Singh @cyb3rjy0t |
Sigma Integrated Rule Set (GitHub) |
7e8cf2aa9c53d27e74ec5d758c244e7939c04f5252650030b441077572cfcbe2 |
1 |
0 |
Usage Of Malicious POORTRY Signed Driver |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b6bbc36542c77f8d058bdc271a081010f06acd3d3b84465a3ab065bc5723eb46 |
1 |
0 |
Using AppVLP To Circumvent ASR File Path Rule |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
e95a64931dc936ea0b79a4d48a5cf5f247dc55a78f0cb754480de9f58dcd9ce2 |
1 |
0 |
VolumeShadowCopy Symlink Creation Via Mklink |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3b5b0346a9d3b5b510bfd33a67662439c44419ada001c73160bdcc75d76b2d3b |
1 |
1 |
Vulnerable AVAST Anti Rootkit Driver Load |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e9c74d53713106fb02366cb62d020afa0660b87c13561de9c43553b46bcb0d06 |
1 |
0 |
WannaCry Ransomware |
Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
b8a9a3d755cac11238eb37aa06d27255714356075872c2e2e140acfb3e8ab8b0 |
1 |
0 |
Windows PowerShell Web Request |
James Pemberton / @4A616D6573 |
Sigma Integrated Rule Set (GitHub) |
226bf9a98dfb94416c0f984ecfd7e566a55fd0efe2af4257055b1f1be1501377 |
1 |
0 |
Winrar Compressing Dump Files |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
751aa9f10bb034af3fd96ddfd10baf6ff799f92e0d2802249e1d957644c16591 |
1 |
0 |
Wmic Launch regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
4bd4adb7096f2875c9d4780cebd4f8cc5d8f98ae072aa38aea08cb38ea623042 |
1 |
0 |
XORDump Use |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
4abc044da118e9866fcf5bc9e7da198eb9947cb37219f7a3b35126a70e5dbb60 |
1 |
0 |
XSL Script Processing |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e80db9df819552f83bb1bc542be2503390d7a47f3c26ea4db86797b530411d2c |
1 |
0 |
rundll32 launch mshta and run script from internet |
Joe Security |
Joe Security Rule Set (GitHub) |
529f06043b5ec852cb07ebe7880eaedad5dfcb5b041100dd85458b5ae5d43c1c |
1 |
0 |
(SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
2c660e94b9dd36c78c57a2250c28533823a79106701103f8b2a662501cc2a379 |
0 |
0 |
(SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
f45ee46c268733c28e2e456cd180b06976bca8e8fc0819a141d83778e7e6908b |
0 |
0 |
A Security-Enabled Global Group Was Deleted |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
bf3e787c52710338f2de4d60dc5d8c182f8014d194883f95053611e83cb06306 |
0 |
0 |
AADInternals PowerShell Cmdlets Execution - ProccessCreation |
Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b16d67523f0579e7a519f3728bfe10cb26d5526cc90e1b975b33341e51ba7854 |
0 |
0 |
AD Groups Or Users Enumeration Using PowerShell - PoshModule |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a205be34057679bd055b1f3cb3fd18d4d31f2b0bd776288ccba6be10b5a818e0 |
0 |
0 |
AD Object WriteDAC Access |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
58cec962c267e019fa838d36e02695d7254409214165d3ac1363b49e8711131a |
0 |
0 |
AD Privileged Users or Groups Reconnaissance |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
14cbefe2ccc7618cf17e2c9b92743b97fbf394277a7c17c58ebb3d942aa0a0fd |
0 |
0 |
AD User Enumeration |
Maxime Thiebaut (@0xThiebaut) |
Sigma Integrated Rule Set (GitHub) |
1a4024d9c095d28a1da18eb257926feded8ec7d7ea03762f6eab63b22a41721e |
0 |
0 |
ADCS Certificate Template Configuration Vulnerability |
Orlinum , BlueDefenZer |
Sigma Integrated Rule Set (GitHub) |
6d83e2c5d3c8dd6baf3897d1fcfef08e8e7745f60a8712ff35acc679d26b2db6 |
0 |
0 |
ADCS Certificate Template Configuration Vulnerability with Risky EKU |
Orlinum , BlueDefenZer |
Sigma Integrated Rule Set (GitHub) |
145c680f84c610717ce0f64126642e2075071657c6b04077e58c08042f45b3dd |
0 |
0 |
ADCSPwn Hack Tool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
945059b9924f612aec04c225310cee7009f0951805322568a62ebbefb71e63b0 |
0 |
0 |
ADFS Adapter Process Spawns (via cmdline) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
5b090817d20c98f190eec819a6c655b46a96324e58e3195a7f9c5e076fae6acb |
0 |
0 |
ADFS Database Named Pipe Connection |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
4066789e2f52a62b211079b31d3fecc622acde6f0aab1c5127584333f498102c |
0 |
0 |
ADSelfService Exploitation |
Tobias Michalski, Max Altgelt |
Sigma Integrated Rule Set (GitHub) |
adb52649fba655a7c618328f8a47138b0829cd7ee3ff23c599542d6103b29a92 |
0 |
0 |
AKO Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bb075da0c850b7587ce9434aef02a948171b3545ebd0914125d7f5fe4fa590dd |
0 |
0 |
APT 37 |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
2c9099b138fc55d5fdb1dce07ff366a656ee06b6ff8dd57d238ce00e61809e4e |
0 |
0 |
APT PRIVATELOG Image Load Pattern |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
396dd003148797c25c2cb63e8f2c6e0b3973ed37675f9c214f6a40a269c94131 |
0 |
0 |
APT User Agent |
Florian Roth, Markus Neis |
Sigma Integrated Rule Set (GitHub) |
e2b73603c9441b256be9bab1ccd758407a6d6470859f0f6cb838ff2eadc08006 |
0 |
0 |
APT29 |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
976e44f1ea7fa22eaa455580b185aaa44b66676f51fe2219d84736dc8b997d3e |
0 |
0 |
APT29 2018 Phishing Campaign CommandLine Indicators |
Florian Roth (Nextron Systems), @41thexplorer |
Sigma Integrated Rule Set (GitHub) |
8f2c777b3dc85aa4c4663fc4de3a1d8bd273ea3506fd8481a76de1a0ffb2c6b4 |
0 |
0 |
APT29 2018 Phishing Campaign File Indicators |
@41thexplorer |
Sigma Integrated Rule Set (GitHub) |
120841a228484caff2f660319625b672d8b268d649f0522d99d2a59c6c60f3b3 |
0 |
0 |
APT29 Google Update Service Install |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
34f4cff056f24abe91bb29dc04a37ee746a4255101a21724b9ff28d79785247a |
0 |
0 |
APT29 Google Update Service Install |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
e6247b8fe178e47b7e98f318da90608dc7aaf94fa99fe8e933f0a05b6498bdb4 |
0 |
0 |
APT40 Dropbox Tool User Agent |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
572ac9027db60bae5654b7a9bc5d58e315db0810b08d8142c6db54f5e9e7ed24 |
0 |
0 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1d0bd876f993864d8a65e33ce45e152f3e49063e858a74169b77923d673483a8 |
0 |
0 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3ac562f761dce56ddce1ba6581aace41ae7b64cf2b9fd64295b4d9d43c26aa21 |
0 |
0 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3f84ecf411a71bd8d115a14303c8eac0baf1a7d57c27f81e99c78b2bff51f3c5 |
0 |
0 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a84e26c881c97617cb1fd0ca767f6c6a6aef9dc2b22b7c5346b71449a2bb5bbc |
0 |
0 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d51a28a580a981a8c30c17c8985ac1d2bb9187f6dd4a55cf24b6f0c4cfc4c1f4 |
0 |
0 |
AWS Attached Malicious Lambda Layer |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
0650616005d1cf25b22be420f69ef9f6271137f0d29697a56f3346877ffd37f8 |
0 |
0 |
AWS CloudTrail Important Change |
vitaliy0x1 |
Sigma Integrated Rule Set (GitHub) |
4ef2dc5f6a20a823034706154832eb2b6caacbdd7526d5f72b41b87b661c18b9 |
0 |
0 |
AWS Config Disabling Channel/Recorder |
vitaliy0x1 |
Sigma Integrated Rule Set (GitHub) |
1ca012603accfb34b464b1a408012216374690743be9979de051b99b95859e64 |
0 |
0 |
AWS EC2 Disable EBS Encryption |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
7cc31b5a6e3bb9dfe917930e9cff98c24e1477f39b93c17de733f572469e6746 |
0 |
0 |
AWS EC2 Download Userdata |
faloker |
Sigma Integrated Rule Set (GitHub) |
52870d4d2756b6f3dde8066072d0df3fffc2208a2f13a11ad8dda6663fc6c12d |
0 |
0 |
AWS EC2 Startup Shell Script Change |
faloker |
Sigma Integrated Rule Set (GitHub) |
839d04c92bee18b43af5b78244d9a121efb5f27e4eebc842ae6c62a6c9e4b4f3 |
0 |
0 |
AWS EC2 VM Export Failure |
Diogo Braz |
Sigma Integrated Rule Set (GitHub) |
510922d4a963b58fd4765ade7ccec8ec0d323813387711be4acd2577afcd50d5 |
0 |
0 |
AWS ECS Task Definition That Queries The Credential Endpoint |
Darin Smith |
Sigma Integrated Rule Set (GitHub) |
fc4d896380c961454c0e4e2298b4b42f7da55011348cdbec3ff9a56ba169b7a0 |
0 |
0 |
AWS EFS Fileshare Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
320cb5ec91c7d2c86ae27ee1a995b6a6fad692c4dd4716db1bddc009cef68f24 |
0 |
0 |
AWS EFS Fileshare Mount Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
557ffbb2dc96ead10718f0ce8e23abbd4520126cb5eb85b94b8f3d19e7ff6442 |
0 |
0 |
AWS EKS Cluster Created or Deleted |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
633e9cc212d624837b46fa0381b5cb0f70e8a41bb219ae76550b862d16340cc1 |
0 |
0 |
AWS ElastiCache Security Group Created |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
82c9482509e59596843bf9c369a8a818e8248c0b8cd43217762ccd4546d5471e |
0 |
0 |
AWS ElastiCache Security Group Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
886c07a825a6d3bd1d71d9238ecd1c47fe341acccd997dfca9df6d55d0ce1924 |
0 |
0 |
AWS Glue Development Endpoint Activity |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
535cda9e5250683c27341783e572cb03b5946e3a3930ed6e7ec71fb51411adc6 |
0 |
0 |
AWS GuardDuty Important Change |
faloker |
Sigma Integrated Rule Set (GitHub) |
315526975358ad2d0fa1b5c44442eda68a1a8a523b0c894de935ec21708b66ab |
0 |
0 |
AWS IAM Backdoor Users Keys |
faloker |
Sigma Integrated Rule Set (GitHub) |
8ccb5db92041ee60e6fab70bedfd8e59fb916edc1226612863ffd244a78e453d |
0 |
0 |
AWS Lambda Function Created or Invoked |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
3bf7f1b2fd7fe897356a4416891664478c352bcff4a562abbb4e29d59be58cad |
0 |
0 |
AWS Macie Evasion |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
2caf12ef20a741df57dbd3af15b2018c587c7143520a8c077a4fb25e6dd8d75e |
0 |
0 |
AWS RDS Master Password Change |
faloker |
Sigma Integrated Rule Set (GitHub) |
5ce71a8dd2051186eb3bc827687f0161dcd856a3aa78737ffc610f6040d4166c |
0 |
0 |
AWS Root Credentials |
vitaliy0x1 |
Sigma Integrated Rule Set (GitHub) |
9a3dad9567f385fd12f06417761f939eaf3bc223c50daac4c997e6f50f690b0c |
0 |
0 |
AWS Route 53 Domain Transfer Lock Disabled |
Elastic, Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
91af3f000e86d4d90b8e282d15d62993f5d5ca87f5375dee075988c20a572c22 |
0 |
0 |
AWS Route 53 Domain Transferred to Another Account |
Elastic, Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
79dd906114c4b150b65cf759c1c0d1d83d74766afc2feb337b08ee12e340a013 |
0 |
0 |
AWS S3 Data Management Tampering |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
14d9fe2befc885c1ed6ef46a55bc25f96407917c2385e324b8515b53a65d4b36 |
0 |
0 |
AWS STS AssumeRole Misuse |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ab071ff54304ef514871c1e84cc731ded005fa0ccda3b66616554a41d88efa5e |
0 |
0 |
AWS STS GetSessionToken Misuse |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
6994df5208389be2d74373903274ef547c51d5eed02015e25e143b1932795aef |
0 |
0 |
AWS SecurityHub Findings Evasion |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
4e8ffcd6780ba56d1f2fa59f77317ebf859a2bf43c4be7719f81b9e03dd5c83d |
0 |
0 |
AWS Suspicious SAML Activity |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
173a650247a0aa08e4f7d1fbb1ab2154526c9f23e45d9bbfaab1313385bc23ac |
0 |
0 |
AWS User Login Profile Was Modified |
toffeebr33k |
Sigma Integrated Rule Set (GitHub) |
943930b25869dfad30c94e1eec864e899816b0d8b783767e1940cd6e0138d53c |
0 |
0 |
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1ed460e3d1d675508d6550ae97b5b02fb7d2a41633cf104dd13ec5e3898fb4d8 |
0 |
0 |
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3f23a6c297c45d5a9d63d790d48c7f197bedbf2e2a62d28b67dec7a5a79e3196 |
0 |
0 |
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand |
frack113 |
Sigma Integrated Rule Set (GitHub) |
aa47fee25ec87cbc15062b8d3f7e0acb8e38a64de307365aeec8cfbe02f12c8e |
0 |
0 |
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cb8936fcf36d16982575da13504782d400992adaac08cd26ba7845c4a4279dee |
0 |
0 |
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e78750ceeb186d5ea5bbcfb7f9ba741b6d8d9978b25212d97a252621b5af87cf |
0 |
0 |
Abuse of Service Permissions to Hide Services Via Set-Service |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
44099719049070f990e032a6707550adf96a4eb8cdfdb10f3f37381678c18ccd |
0 |
0 |
Abuse of Service Permissions to Hide Services Via Set-Service - PS |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
de5075c9666beb50edc776fa77e0615b1a9eee5a4ca639b4f9dadfa59d3ff764 |
0 |
0 |
Abused Debug Privilege by Arbitrary Parent Processes |
Semanur Guneysu @semanurtg, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9d455dd5e2e653e4afbec915a896019f9ca31a26fba6e2ba47b2a380780ed090 |
0 |
0 |
Abusing Azure Browser SSO |
Den Iuzvyk |
Sigma Integrated Rule Set (GitHub) |
08cc3358fc66df84bafea574255088ebf9e6d0b56cc08317abc1bc31f94bab4b |
0 |
0 |
Abusing Azure Browser SSO |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
3a3618c16315d61e28176798a3bb0420bd03a4732de42920b67e1c038effc0cc |
0 |
0 |
Abusing Findstr for Defense Evasion |
Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
47d19568dce3538a5fd8f2ddbd8388f28dbd91d200dc9a91d8166cb957ace155 |
0 |
0 |
Abusing IEExec To Download Payloads |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b6040efbd7812c47c4f940044893d325b6ecd7c971385b21b9937eac64f2be90 |
0 |
0 |
Abusing Print Executable |
Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
f96e4beae00ea6ddb52dd039e1527892e6c52cdc577988ec8e7730fd3b4cd9a7 |
0 |
0 |
Abusing Windows Telemetry For Persistence |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
215ab0e3f729db474131b73eb9950bd1decd0ab51c4d221a489c48004d3684e0 |
0 |
0 |
Abusing Windows Telemetry For Persistence |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
37508447092b61198dba6c2077887c7bd32c0396716095cb8e25593a16b30929 |
0 |
0 |
Abusing Windows Telemetry For Persistence - Registry |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
29f4b4ab96f93520895ca3d47ccf106f5a6fecadf74906d79a302829883cd114 |
0 |
0 |
Abusing Windows telemetry CompatTelRunner.exe(Audit Rule) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
879510fbd52dc559762564e9dcee6b800c7ebe8846c237911775cf3f6d8d3cd9 |
0 |
0 |
Abusing Windows telemetry CompatTelRunner.exe(Sysmon Behavior) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
18fa931666e2ae680fb1e0dcec0ba06dadd31ca6b52d9c619bb42fca8b7d7048 |
0 |
0 |
Access to ADMIN$ Share |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9b8b6fde8104ca3626c27c746a6e6e07d3f8c89905e685f9a05cb5f6f4edc379 |
0 |
0 |
Accesschk Usage After Privilege Escalation |
Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
cd3d7a697c3c3677aa8da2c29a31ba2c427c6efdde2818deab23f432540c2193 |
0 |
0 |
Accessing Encrypted Credentials from Google Chrome Login Database |
frack113 |
Sigma Integrated Rule Set (GitHub) |
51e8e5e690970ad68d784525926120f9a5afde96ebd20253e92cea0d07d54399 |
0 |
0 |
Accessing WinAPI in PowerShell for Credentials Dumping |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
a683beca7674cad333d64a1ffe5ac971414b265f15a99e2f9d2c7ff967cc2fe2 |
0 |
0 |
Accessing WinAPI in PowerShell. Code Injection. |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
780e368b7c4c2665f3cbcc6184c03b9147726ab5239f4c01341cbc02775dafda |
0 |
0 |
Account Created And Deleted Within A Close Time Frame |
Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
2a8a66e18503e4b2c237bf255508bf585dcac87a732728cbbcd511bdd1ff7358 |
0 |
0 |
Account Disabled or Blocked for Sign in Attempts |
Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
82398e3143a953cf8bf5e000c262201372c12f810b17f62d62c997beddd83dff |
0 |
0 |
Account Enumeration on AWS |
toffeebr33k |
Sigma Integrated Rule Set (GitHub) |
c2d1da71047d12f3e9e82a9b10ae31b7f37c8a89483a537c7049c6f83abd4cb0 |
0 |
0 |
Account Lockout |
AlertIQ |
Sigma Integrated Rule Set (GitHub) |
1fe55c2a4747185813415dd5f4e3e497c4f1fc14e546ea9fe496f104438a0870 |
0 |
0 |
Account Tampering - Suspicious Failed Logon Reasons |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5589ef9f2fa4b4fc38d9e2634cb65b59cc829a86599e808fda10586d97094d5b |
0 |
0 |
AcidBox Activity |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
7036d84b791069d70f9a381859bbfdaf7d37a698a47948b343a49a64ab652cce |
0 |
0 |
Active Directory Database Snapshot Via ADExplorer |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
43d5cafc2ab99baaf01e5514d320d214797cff1d52b8ad3336702522499ae5c4 |
0 |
0 |
Active Directory Kerberos DLL Loaded Via Office Applications |
Antonlovesdnb |
Sigma Integrated Rule Set (GitHub) |
a2eee7390841d2713ce09ab45175d989688027fe2141938274b88a1dfe11b75c |
0 |
0 |
Active Directory Parsing DLL Loaded Via Office Applications |
Antonlovesdnb |
Sigma Integrated Rule Set (GitHub) |
6691a047173376a6c37e4a5a5a2ca36610041e928c2900eb7665491f798ff07e |
0 |
0 |
Active Directory Replication from Non Machine Account |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
db12e3072dac7d4a4e8f67282fbba19b12ef761b40ea26359caeec8051cefcd2 |
0 |
0 |
Active Directory Structure Export Via Csvde.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
695199c448d3b12a58e3752401bf07e8b2e547d6efe0e6149ba8d32748ca9966 |
0 |
0 |
Active Directory Structure Export Via Ldifde.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1c98f725d32ca2cd92f710aa97272bf68fc96ad54e57d2d1ca4444e8c95bc7cd |
0 |
0 |
Active Directory User Backdoors |
@neu5ron |
Sigma Integrated Rule Set (GitHub) |
b0cd1653d4d8f0519ad99bcf040b2db9dd835f2df6daa9087c3e4e0a13beb319 |
0 |
0 |
Activity Performed by Terminated User |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
02b84310ae0b2a94f86e5369d7ec39f1a701aed32bc6728b909b446f929745c1 |
0 |
0 |
Activity Related to NTDS.dit Domain Hash Retrieval |
Florian Roth, Michael Haag |
Sigma Integrated Rule Set (GitHub) |
36868991a76ff137e30dea5f77cced4da2254db444c41aa5f83cc7ba6b8fed48 |
0 |
0 |
Activity from Anonymous IP Addresses |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
efecf6d62b61312f886723f752a5c2ee5188a1bac0ee585294f03e08291d66b8 |
0 |
0 |
Activity from Infrequent Country |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
b9be4401ecfc9259f3e9b16e77573b0abed2cf0df93e746abce40e64e7cea7d4 |
0 |
0 |
Activity from Suspicious IP Addresses |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
c020af8eea2544a4fee04ed5143d696c1224c429b3a7871cc87b00b8d5c6cc8f |
0 |
0 |
AdFind Usage Detection |
Janantha Marasinghe (https://github.com/blueteam0ps) |
Sigma Integrated Rule Set (GitHub) |
1e88d14fe153e2c630eb9bdd7e321d7dc3d82670a31f1b36fc90cb6cbc362136 |
0 |
0 |
Add Debugger Entry To AeDebug For Persistence |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4d9fecbabddea65e4e2c196b0377faa0c800a01ae4b90d37503e8e59aca0844c |
0 |
0 |
Add Debugger Entry To Hangs Key For Persistence |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4efb3c3203a4753b90d62be615436fbd2c115d65169098494cb312184a25c564 |
0 |
0 |
Add Insecure Download Source To Winget |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
69a1d86d6744047fb3da5e8d6658a659166715e107e7410172091d94fa935e4e |
0 |
0 |
Add New Download Source To Winget |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4e66bd1dd5fee57f4ffe2ecf83a8243471e8dda3f75ccc5321ecf5e8bd5497d5 |
0 |
0 |
Add Potential Suspicious New Download Source To Winget |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2c1d246414b6774711179081e13ab823b6631ddb09a24e701d4c5878e6c8e37b |
0 |
0 |
Add or Remove Computer from DC |
frack113 |
Sigma Integrated Rule Set (GitHub) |
03210cc4570a84f3b468c8ee247567289fab5fdb4708b2818749e054268a37ae |
0 |
0 |
Added Credentials to Existing Application |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
76dbf85ce46cb957c64f0c64aec7bdf0c8e0a69603d808ac7f3607c24dbe7616 |
0 |
0 |
Added Owner To Application |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
10d9f80cd3b66a46c4b6914ee1f2de614ca2643c9c8d42baa1215bd4b6cdf58f |
0 |
0 |
Addition of Domain Trusts |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
f354ac1a99792012ceaef04ee732d816f1a2d9dee2e30492295b794811ed0e46 |
0 |
0 |
Addition of SID History to Active Directory Object |
Thomas Patzke, @atc_project (improvements) |
Sigma Integrated Rule Set (GitHub) |
d755877a01e9e73bfd7efde3363de1b7976022aad16110c5a4b2995a9f8604f2 |
0 |
0 |
Admin User Remote Logon |
juju4 |
Sigma Integrated Rule Set (GitHub) |
ba345e8f98204602e6652f9d41bec21ffed8e55fe558a98315201eec3993eefe |
0 |
0 |
Advanced IP Scanner |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
1e081f4ac10fa7ca5c1322255b4569d35b221c6b54e93ab5bd06bd891b690755 |
0 |
0 |
Advanced IP Scanner |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
5fbf642a60f85b04f337ffeb9e377bf01fbe1ca8b9325ead915068bbec2ec06c |
0 |
0 |
Advanced IP Scanner |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
654d8ac633b50e98138bcb448019dd2fcb8c0384ae47263728f8b4fd84b8ba98 |
0 |
0 |
Advanced IP Scanner |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
946d2bbdd10c544f6435f9b58d066f0d418f7bf78478848e179abdd8b5ec19b8 |
0 |
0 |
Advanced IP/Port Scanner Update Check |
Axel Olsson |
Sigma Integrated Rule Set (GitHub) |
e940965433a2cc92fc31e2792e173909b90acd90237f0586703e61591ef0a0d6 |
0 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
29d8efa02d53ac611d0b491bedaddbcd34e06668c553dd702b761afceca6d91c |
0 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
40b38a30ad910fcc157b48f5890f35898cc92ae17559bda1764e434dfc37c1d4 |
0 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6b74b152297fb45850c046a229ca64920ee9d973e33fdb61c3954a849baa882e |
0 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9a837c56dc81ffe30b3cbb46efbb5eaef5933b049b212514e9bb4380f12623c0 |
0 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e1d3ef681f53390850fb5bcd89f8d9388eebce85673fe6b8f766bd596275003d |
0 |
0 |
Adwind RAT / JRAT - Registry |
Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2430fe9fd6e24946c8534bace62f59a139bd0871a15e594408a81134d905d1c3 |
0 |
0 |
AeDebugProtected Reg Key Persistance |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
a3febaea6fa1eefc8642f7d848d0b2d4f2b70c0359fa395d9e8ee921c218b36d |
0 |
0 |
AgentExecutor PowerShell Execution |
Nasreddine Bencherchali (Nextron Systems), memory-shards |
Sigma Integrated Rule Set (GitHub) |
bdfecd34e78aae683a75a4a2ea4412bf84cb14ba9fb9fac298724228723ad016 |
0 |
0 |
All Rules Have Been Deleted From The Windows Firewall Configuration |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
de3c3a1f1f885a99189003961c40507ff50155075f1847683580c0391eca48c6 |
0 |
0 |
Allow RDP Remote Assistance Feature |
frack113 |
Sigma Integrated Rule Set (GitHub) |
166df8c1d3e7f7c5a9fbd54dfc633614e8f49352354a3f5d9fe7ea04de73be78 |
0 |
0 |
Alternate PowerShell Hosts |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
5b34558f1c4d3065989635055533ba223585e99be44e2b0e319dfc6946c50ee2 |
0 |
0 |
Alternate PowerShell Hosts |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
66d3c05927db71e9d8760c5353ef8a161521b446c0b6cb8ea538a081d2d15e8f |
0 |
0 |
Alternate PowerShell Hosts |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
b98a87132b8f25c1b28f308d62a1f37edb6a16c239e5d98a314a15853193b18c |
0 |
0 |
Alternate PowerShell Hosts - Image |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
1ff53e9fd6749954464f3ac22171fc115796cbc09d5ac9331d6db4cad674287e |
0 |
0 |
Alternate PowerShell Hosts Module Load |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
0b70b2266832f57d7fcd62d232b3b469d8788c9a97ee87dfac1147dbd08533a2 |
0 |
0 |
Alternate PowerShell Hosts Pipe |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
ba100a757ed85b5b1b191f9aa12c8123ef59a9afd99c6cb8fdaeb4f7bd4e12fa |
0 |
0 |
Amadey Botnet detection (TA505) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
472362d8dcad8c26a75836b16e7f1e1fa272f614affc2dd864632b8a3af7e12f |
0 |
0 |
Amadey Botnet detection (TA505) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
cec4465383805716c59e96f51fd252bb21a3cba08cb59dfe0e21d49eaaee228a |
0 |
0 |
Amadey Botnet detection (TA505) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
dabd120c240b719397478da50d0bac817e3ab6b120221b5c78ba3d5e42143637 |
0 |
0 |
Amsi.DLL Load By Uncommon Process |
frack113 |
Sigma Integrated Rule Set (GitHub) |
839b8da98cb18a93a4c803f0e372af5098133357d4e2c35fd9f75cd01bbd43b1 |
0 |
0 |
Anonymous User Changed Machine Password |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
5262477d283c94c8a282e110700640abccc3d50d92a485af02adb2a0ed079358 |
0 |
0 |
Antivirus Exploitation Framework Detection |
Florian Roth (Nextron Systems), Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
b74dd119e6b8a4b8160d85ec696dd1b8f9d9990a6eebdc5abee1ce10d635d8fa |
0 |
0 |
Antivirus Hacktool Detection |
Florian Roth (Nextron Systems), Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
c199a1ab724951efd7b45265fbdd55c15874411108f51d080ff79caf07509ed8 |
0 |
0 |
Antivirus Password Dumper Detection |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
26728f84df236571280d6d8d3ec2ef0250723676cf344e0e4b29b397901037d5 |
0 |
0 |
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection |
Sittikorn S, Nuttakorn T, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
22284a04af59d3dfb90caff89d34cb8f366f73553f1aa99101a46e88e4200b71 |
0 |
0 |
Antivirus Ransomware Detection |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
8d8c06ae6c280fb5c26f506a8eadadc666e6b8a4b115fb8c68decf1202868f19 |
0 |
0 |
Antivirus Relevant File Paths Alerts |
Florian Roth, Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
a3fdf9ece7053d2030dc642bd2eb70cd4c3a3e45f7939313db5d59ae6fec42db |
0 |
0 |
Antivirus Web Shell Detection |
Florian Roth, Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
0abd8831aa5efdcfa40c619dadeb24d85fa74d097fa44e68d639accddb2a7e70 |
0 |
0 |
Anydesk Remote Access Software Service Installation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a74b000fa65a105160edaf2cea082befdfd07389b3d81378fd43cd6abf3a94b0 |
0 |
0 |
Anydesk Temporary Artefact |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e10fbca4d86522aeac83abdc331770c474bf85a4fbe87cff23642eb6a498969a |
0 |
0 |
Apache Segmentation Fault |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
723a6621f9b140b510c7f46523b33c69c2beb3f9e824516e07e5bb83aa5b0d26 |
0 |
0 |
Apache Spark Shell Command Injection - ProcessCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
245d51be14a6aea8247e090ed8bccd7ff1343a69fe3e5ac425960f84c6c0d629 |
0 |
0 |
Apache Spark Shell Command Injection - Weblogs |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6049b3cd09fadec41e58f1373307e089bec9fc104540bffcab8d389ffd26e28d |
0 |
0 |
Apache Threading Error |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
2210d9229d212ebd79a69712d72ae5590caccd7f8c47f91331c431e3394f87ce |
0 |
0 |
App Granted Highly Privileged Permissions |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
f5c2edfa4568095138a74e6d1258f67aacbb769134e9dbb212870a4a8de09873 |
0 |
0 |
App Granted Microsoft Permissions |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
2d29ecc9290d6afa03d733640acc3d0d220b0b393f7b2719ac33295f58c34e63 |
0 |
0 |
App Granted Privileged Delegated Or App Permissions |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
959c26d059b6b1c8acebab85f72c99215eee0aa0897c32c96524377b6f90e88a |
0 |
0 |
App Permissions Granted For Other APIs |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
a6bd215d292cb31faa9264f005c75200c428fc84f750306c85eb596505799c29 |
0 |
0 |
App Role Added |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
7b9cf1b24ba10b85109a309c8ec31d9cc0cb3bd010d2ee2c99bdb301b4a482fb |
0 |
0 |
AppInstaller Attempts From URL by DNS |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8c20386ca2239562a26b808135071390e3abe7434cb251781a4656b1b4cf71e6 |
0 |
0 |
AppLocker Bypass via Regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
2331619a69009fbe3cead24a909b7e9d42ffb14b71caa6d83ee04fce114b10eb |
0 |
0 |
Application AppID Uri Configuration Changes |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
7bb4d1866297312fbaf22981a0884a00cd2b6cc0884294b995f8af22637b8c42 |
0 |
0 |
Application URI Configuration Changes |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
602740da70d3ff3d4654b32be683dfb1b49ad03a45553e1380a03ee918bc32a5 |
0 |
0 |
Application Uninstalled |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c82edf1cc13cd1fb147ab2b58854576c3cdaad0a6d5b8b4fecbf68a08a1e742a |
0 |
0 |
Application Using Device Code Authentication Flow |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
226c91fcc62837d3f1c04764f19be2a014d6d398a9af8c46e6ff6ef2d28fa6f5 |
0 |
0 |
Application Whitelisting Bypass via Bginfo |
Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3a9675abeacca74d231073efcc4c362ddc755278240288e69cd34b2f2052cffc |
0 |
0 |
Application Whitelisting Bypass via DLL Loaded by odbcconf.exe |
Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e7b216cf44265cf356b012760fb4e0a6e04289ad81a1fe180bdb6b75c59729a0 |
0 |
0 |
Application Whitelisting Bypass via Dnx.exe |
Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
da46c4a25c9b1a9291dd79b4539957b5ab71a6f2d75da9a90cfe48f74048a9a9 |
0 |
0 |
Application Whitelisting Bypass via Dxcap.exe |
Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
208e2a3b52a6d211e7c5b85a6b02a3d7b276c3d13e266917a5e033a43cc39d85 |
0 |
0 |
Application Whitelisting Bypass via PresentationHost.exe |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a92f0f2a0c39160d3e7f5d285e22beedb4e44ac9471c4675711203fabcbde79f |
0 |
0 |
Applications That Are Using ROPC Authentication Flow |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
4edddc78b121c570c0cc0b8f9f34fda448ae47381dc23fa34d0e92afb84b8c56 |
0 |
0 |
Apt GTFOBin Abuse - Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb264a5706df7ef97923f067f7e95a160f5ac20d0a2a45fdfd4358ea9601ac11 |
0 |
0 |
Arbitrary Binary Execution Using GUP Utility |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3eb1798da734a1175f4064db9bcae87d8f1e0635b2a5bc95e9211a3604b8c76b |
0 |
0 |
Arbitrary Shell Command Execution Via Settingcontent-Ms |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
1eb1f4796a2c05305c0e6fb961bac3fd02861464a7d6bc3d1a35461737101c81 |
0 |
0 |
Arcadyan Router Exploitations |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
0274ce4cedfe4942275222ff262ad3bc4a6d9230e7d8aa753adaf19da3b08ebe |
0 |
0 |
Artrta Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a460ea212cd93f867529a23e3064a9972f4e4b97bbba5f916b427016caaccd93 |
0 |
0 |
Aruba Network Service Potential DLL Sideloading |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5179445d911d6fbb8c94da23454267597f95beaeaa0630fb25175609654f9df3 |
0 |
0 |
Atera Agent Installation |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
25ae1d6038813be4c6c9dd482574522a1ec3ed0d01450b06b4673f94bef1aa71 |
0 |
0 |
Atlassian Bitbucket Command Injection Via Archive API |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1d886380a9f8a967bf006cabbc3bad64fdf82ea3450ec02b40bcc4c56ea33900 |
0 |
0 |
Atlassian Confluence CVE-2021-26084 |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
56b5ba6ff40bf2213da0f48c868136707e52c6ca8ac602bf6013d111e87ea977 |
0 |
0 |
Atlassian Confluence CVE-2022-26134 |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
da92610c4bf2acba31703944912a2d93f568fe02dea678aa4640ab4c80536cf3 |
0 |
0 |
Audio Capture |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
a4baf3681957e567a0dcabca982a74d6ef27a7f4371c330e743abb82201ce772 |
0 |
0 |
Audio Capture via PowerShell |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
db002a5ffd8be8305184d197dda045b272ab439c9fc205a6ce985e3eb911df70 |
0 |
0 |
Audio Capture via SoundRecorder |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
9d251711b5a07fe8fb5fa341d8312ddbf0fd1b878b4a2d04e5feebb9885f1067 |
0 |
0 |
Audit CVE Event |
Florian Roth (Nextron Systems), Zach Mathis |
Sigma Integrated Rule Set (GitHub) |
0c184188e5202d857b8ad97911db2679f4da47c8ff9498e869e2794f4b017d77 |
0 |
0 |
Auditing Configuration Changes on Linux Host |
Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
08bdc4ce556bc84980d5552bb3426a25d11cc00dfa1d2ca4e727b609ad595cb6 |
0 |
0 |
Authentications To Important Apps Using Single Factor Authentication |
MikeDuddington, '@dudders1' |
Sigma Integrated Rule Set (GitHub) |
ab5210813ff4cfde3cc40f087e36f3bb3bf91424a6843fc7c43981fdd0d43638 |
0 |
0 |
Azorult and XMRigCC behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
312ca94426dbc718ff09f09e6a43b898190a0aaf80ccbf8bbc1faeab30a2381d |
0 |
0 |
Azorult and XMRigCC behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
384c8a60fa80b800ebd740d52e56ddada550877252c4a1c54b09045cbd667d20 |
0 |
0 |
Azorult and XMRigCC behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
eb88bdebe1990354c146b84c3335fe5d42136e63848540b27845073f1f61fd4d |
0 |
0 |
Azure AD Health Monitoring Agent Registry Keys Access |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
3bfeb8cfe94b16cd5b7f3c96024b95509404dee7b48144b2af8aa5ce4779de13 |
0 |
0 |
Azure AD Health Service Agents Registry Keys Access |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
bbe20978cff2db9667ec877573b1107ee982ff6d743fa80d3cbf2b74771a384a |
0 |
0 |
Azure AD Only Single Factor Authentication Required |
MikeDuddington, '@dudders1' |
Sigma Integrated Rule Set (GitHub) |
6ec6f440b21637b3be0f9f60a20e5f6fe64fbe1d64418abc56449a7f4b56c642 |
0 |
0 |
Azure Active Directory Hybrid Health AD FS New Server |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
74b3585358a705f41a3c47ca255f4fdf226f80d67efcd8180692d9830cb0cddc |
0 |
0 |
Azure Active Directory Hybrid Health AD FS Service Delete |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
79b78dee5286fabf9074e377bf3ad75038d8b8d9a5087f439b47b5c962e9a221 |
0 |
0 |
Azure Application Credential Modified |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8249fead423c34843b4256f38229856595e4938b344740799a977671a8721be9 |
0 |
0 |
Azure Application Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
2ca197a0660bd80fe905e4ca00acc28acc9704a89ac7f82e3b3f99f91c2277bc |
0 |
0 |
Azure Application Gateway Modified or Deleted |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
99cfccf0f7621c216ab9a6e574118c7d08bd147ed24fdfc923c1bef27869dd2e |
0 |
0 |
Azure Application Security Group Modified or Deleted |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
fee924d31493870a0e467e4c218281258f926382c4aed996e8c0ead7b0ffd1a1 |
0 |
0 |
Azure Container Registry Created or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
a50193cebf131589afa2e4c5caf4bd66397e7f3e21a007d2dceb8a4a87b50ef2 |
0 |
0 |
Azure DNS Zone Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
43efaace741bf5e0b6dd18d8ac4cb9c2541ae1076b512e1bd743a3064a1e6bd6 |
0 |
0 |
Azure Device No Longer Managed or Compliant |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
c81341f9f6cd4cd0b87566645bb2e5b8bcbf96eb3f70ff9b56ee3abf4854e84d |
0 |
0 |
Azure Device or Configuration Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
96deb162e4d7078c4d37c8e9299cd36a06bd4e7851a6667dbf6d26a2c982d28e |
0 |
0 |
Azure Domain Federation Settings Modified |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
cbd7365e52f94f02a513846714617391f68f6912003a2eb9a0bbacf128259b5b |
0 |
0 |
Azure Firewall Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
d45698a63ac241254c2e58e006dd45b43f164ffe1d0a192e9e4bfb69fd4d0a70 |
0 |
0 |
Azure Firewall Rule Collection Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
4e5d8654f38840ce7dfb65eccbb26e41cf2087dc48fd3290abc364e99ff6c223 |
0 |
0 |
Azure Firewall Rule Configuration Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
1966c63d48e697e85ff918b12a3933601905b8e608c26a39ba40d0802843a0a7 |
0 |
0 |
Azure Key Vault Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8277b5e14bd624d703568cc728cc7573300e7157c6085a669f3c467b2b2dc91f |
0 |
0 |
Azure Keyvault Key Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
9cd4b711206e3c37197e34894fa230459f8f3973e55a8393632f7b4f394a0757 |
0 |
0 |
Azure Keyvault Secrets Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ca76365114071335144bbd16aa1ff1702fba9628d9339290e6ad1ca4038485b0 |
0 |
0 |
Azure Kubernetes Admission Controller |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
0f1f0dc48da97695cb6527b079cf0a309aa8c1f5330034f614fd18aa4a3a515d |
0 |
0 |
Azure Kubernetes Cluster Created or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ad11168ee302b9e417ef34de10e853a070a2255f619a0f2e5ce8093efa4125ec |
0 |
0 |
Azure Kubernetes CronJob |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
6f0756909a231b1de68feb41531a09f1b4aa980d4cb705216064bbf410c47f38 |
0 |
0 |
Azure Kubernetes Events Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8d931927daa9fe944bfee3fe82c6723e2f8c8daab9a97f657c6b92eec3f60413 |
0 |
0 |
Azure Kubernetes Network Policy Change |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
fa73bc2ee70f7f45ebea4039e72ecbf9d55585af7633d7dc5ee78175f740c847 |
0 |
0 |
Azure Kubernetes Pods Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
e96da18a9f7bce0ba8dbf0ea74585858e37bdf438c3a3acf0e69ad4f611d8e00 |
0 |
0 |
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
dcf545836738f2f84a8fe309688d2565d5db60f2003e89935f9c884ebde8b2f3 |
0 |
0 |
Azure Kubernetes Secret or Config Object Access |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
dcea1ea1d9ac39af65a5f28568f16c91f9dc4c647daea19dce016dd2466bdbd8 |
0 |
0 |
Azure Kubernetes Sensitive Role Access |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
23e30fa444fae1b172748e6a76e829b2b5bc2d747c0c6d679f757fbdb036198b |
0 |
0 |
Azure Kubernetes Service Account Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8a73631fa6f0fa5dff761b9c6c0a3ccf6a66f656636662418503f105d17d8993 |
0 |
0 |
Azure Network Firewall Policy Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
9899c52490520e420876ad5de364f9f956e993c38bb2bf6e26f7afad6560eee9 |
0 |
0 |
Azure Network Security Configuration Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
d91818569830303d0793ec9cdf27d592e581e957caa02141080927e8d4debd7d |
0 |
0 |
Azure New CloudShell Created |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
168e1c35ae1332d1fde280357d55f94bc3fa72d5f623c5075dc9e95719b508e0 |
0 |
0 |
Azure Owner Removed From Application or Service Principal |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
f497fa0952b0643d212e000f9beedfa0e38c340e126cc980759fd73aea3f074b |
0 |
0 |
Azure Point-to-site VPN Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
4fe122fb2f4694c438ef09c62c437757ffff5f2960a1d78aa757b6f0cdab3541 |
0 |
0 |
Azure Service Principal Created |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8e656dbfb37b60d6fef29014993072a6b8341f80dbd9d2ac0901fc71eb99b51f |
0 |
0 |
Azure Service Principal Removed |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ce41462e381c9c869284161db12adbbf2078003b7ce16266c923d3dc021e19a0 |
0 |
0 |
Azure Subscription Permission Elevation Via ActivityLogs |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
5fc1781e8afc3e000022771fd6678ed7bca2e931810fbe088916375a89ca353c |
0 |
0 |
Azure Subscription Permission Elevation Via AuditLogs |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
f1133baebe520b6bb3b6aa03c2a199e4297f5620463593d2698f7317285f40a5 |
0 |
0 |
Azure Suppression Rule Created |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
c024312538da26140188fc0c40fb6fdffd2ba7813aeb307a59b8a7a73953de52 |
0 |
0 |
Azure Unusual Authentication Interruption |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
a2fbabf1ea8e4593cac5c7ebaa8163ce713e0ccc9f65c8c76fd6ac40c53ccab9 |
0 |
0 |
Azure VPN Connection Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
e0af5f08fe2a083cdd976c7c926cdeee6d6099cf28085ad65013d5a1c9041186 |
0 |
0 |
Azure Virtual Network Device Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
caa2f19474e04314ce3f38bdc4f01d4f9704a841377ea129171fc6d2ec5f08e0 |
0 |
0 |
Azure Virtual Network Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
daf496c3dedf483941f3040398af3b052a54fea0d8f410a2407b7284ae613dd4 |
0 |
0 |
BITS Transfer Job Download From Direct IP |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a494f742d330705777e5a96f912460606a8f2e2d14c3c3ff9bca30929187e494 |
0 |
0 |
BITS Transfer Job Download From File Sharing Domains |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b0d0f79e71de73c83c9e3ae928a91ccccbfa9b757e0826a629f68a3eb8cd0650 |
0 |
0 |
BITS Transfer Job Download To Potential Suspicious Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
884ffa23512e6ebd77b6b249b9116f23f70d19d19433ab61ad18becb188413bc |
0 |
0 |
BITS Transfer Job Downloading File Potential Suspicious Extension |
frack113 |
Sigma Integrated Rule Set (GitHub) |
07b062a873c1d9a27ed7c8b25d19df4ae39cb2bcae62b16c6c0b738e0e99e75a |
0 |
0 |
BITS Transfer Job With Uncommon Or Suspicious Remote TLD |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
916d1dea4e8931fac50e75afcd2ff7c3c4eb8e68a32b9f83d9846a5baa1b41bb |
0 |
0 |
BPFDoor Abnormal Process ID or Lock File Accessed |
Rafal Piasecki |
Sigma Integrated Rule Set (GitHub) |
ad15a7ca794c1a80d655c5a8c8ce1bd98703b84bcbe58e085c057ad49c6377c9 |
0 |
0 |
BPFtrace Unsafe Option Usage |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
14224ae90ba2bfd3b69a2ebda9756c88e99dccecb1580804850e6163e97657da |
0 |
0 |
Baby Shark Activity |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
7e3c417e8dc74e72824b44e745f3abcd085e70e309ca15d279f127de94331f6e |
0 |
0 |
BabyShark Agent Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
65fc9733e96d5061d9c0158d5e935ee4fb89c6a3d5981ed3e2ee6eba8d7931bc |
0 |
0 |
BackSwap Trojan detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e578b7532f350b30e9614eb1a524f8d25975960eeaa667becc98ac9cd99c42ee |
0 |
0 |
Backup Catalog Deleted |
Florian Roth (rule), Tom U. @c_APT_ure (collection) |
Sigma Integrated Rule Set (GitHub) |
db25081a26915f454c9f9fc4dd73865d15100f764005bd361a8ec9eecee428d3 |
0 |
0 |
Backup Files Deleted |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f15234ba5cc4c709633e015e497cce2bab7cd6f91b488b8c04ecfd5651e68749 |
0 |
0 |
Bad Opsec Powershell Code Artifacts |
ok @securonix invrep_de, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c5b3ab9b3a0221a66b1da487bf7bd851b4f9cf0a8e2b7b22e659e5fd42b40815 |
0 |
0 |
Banload Trojan Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4c21f3c713476df5631f5741b8b322c195fdd1759bd4220138d6e4d100c43b59 |
0 |
0 |
Banload Trojan Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
cf78d5c37f3b09e94b3500edde1baaf99114e6503c98d1cedbf58f67f4e2b1de |
0 |
0 |
Banload Trojan Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
df75fb5e2add2e6674d7b5df931eb3ea32c98e61f6fcc4cb9e981b99fab72c52 |
0 |
0 |
Bash Interactive Shell |
@d4ns4n_ |
Sigma Integrated Rule Set (GitHub) |
f79f3c90ed2814f8c1329307fde553431e9978c1fb579ef0824abb01a64310bf |
0 |
0 |
Binary Padding |
Igor Fits, Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
02cb79a02d071bcc40631d144c5a778d3326e0d2226089538e755f27dfac2048 |
0 |
0 |
Binary Padding |
Igor Fits, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3fbac61acf4870c524599db45e1b2dfc09b3058a0096d5fb5b9f1cbc7cde4fee |
0 |
0 |
Bitlocker Key Retrieval |
Michael Epping, '@mepples21' |
Sigma Integrated Rule Set (GitHub) |
7b3b2c6da15ef5621daef26ebb3baabf8a365d507916d900ab1eb197769c414b |
0 |
0 |
Bitsadmin to Uncommon IP Server Address |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5a7b58d1d0d85ecf23dadf094755b9ec6fb8f853ee15f4f3959216ad963771b6 |
0 |
0 |
Bitsadmin to Uncommon TLD |
Florian Roth (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
2e6f9336c9aa7e0fb900844db203acd64f2e49c46053557f76e819509277e0b2 |
0 |
0 |
Black Kingdom Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7b246ccd83dc04be953170d86f9c74b4e9d46071fbc612523b2b7b5564ea248e |
0 |
0 |
BlackWater Malware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
39cd8a4762fefe23e71b4a9c925150241a4c887c22e6c33561f972f394454f55 |
0 |
0 |
Blackout Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
85ed357648ddf115b4b4d1596a36cdf430f132c7262701da1960f5d9c685d48d |
0 |
0 |
Blackout Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b5d26570d88e55e6f8513514b34cb8ae7122dfac66a407ee89e3136500fcec9b |
0 |
0 |
Blackout Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e10ed3279956a72f0ea14fe2fcfa974f8619f90a357e53fe89511819a764c36f |
0 |
0 |
Bladabindi backdoor |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
acbedd0b4dd2d93744542676c9afdfcf6f0f313229b26f137a2d979893bec5ff |
0 |
0 |
Block Load Of Revoked Driver |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b6a678b271d158987968faddcf4e07f864b2080c9ff19677921e776403be400e |
0 |
0 |
Bloodhound and Sharphound Hack Tool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
cfc47087b4c2d98cee5d80b1383b55212d8fe298ebc880e15c894f55123fa95a |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
0cb9e146271e0c9ad794c98863e0e6d9c6ca19471bfea205eee4a276fecbd69d |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
8f6a9e9bbcb601d1bc09093f383e8d8f1f7f09bf7d7e69843c14a7cd880ee0c1 |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
d0b6ca563c74d796de2ac3b8200508b7ea05a9ba9533d0d455ec1f717dd0b8d5 |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
f1ab359e7200763d0ebd605b4d6c074a821679006372360c1fef073501822e2b |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
f723401b33927cfc6f265fefe66ce2982144e1ddeb991a3b47302b70b730b91a |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
fb9f6bbd034578721056b64fb7a34b4e2726da17d1cbf5711dced3ab7cd005c7 |
0 |
0 |
BlueMashroom DLL Load |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
fa6fe737f5145762e909801e31b442ca6e73fb112f26179762cd60b5c64a4867 |
0 |
0 |
Bpfdoor TCP Ports Redirect |
Rafal Piasecki |
Sigma Integrated Rule Set (GitHub) |
e48afde2372557d77514edca83b126212c3f48b0bf0e38f4a35cf2ae0ed2af33 |
0 |
0 |
Brute Force |
Aleksandr Akhremchik, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4307719a67c4c9c1343c12fa7fbdb91107ce614a895545a9b2de04426298134a |
0 |
0 |
Buer Loader (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6327206ca6b0ae94eb02e02c0eda55e26020672bad83ed8831fcdc84f2c0f3ff |
0 |
0 |
Buffer Overflow Attempts |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ad1714ed24aec2fa28551a247a666369e496ada2acb48b02b3b266083d75e6b1 |
0 |
0 |
Bulk Deletion Changes To Privileged Account Permissions |
Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
5f36d7e3b3bc9590aa6a129e7e3db4fb78f2245031d5a0111add67b2dc8371b5 |
0 |
0 |
Bumblebee Remote Thread Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c8f014ee43cb3fab9f235f104d16cf3641236cd69f3975b08abac22e75458d45 |
0 |
0 |
Bunitu Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
3a8e7baeffec67b69220da8b8d25bcae45e047937d0f2f833052ef5ea532aa9a |
0 |
0 |
Bypass UAC Using SilentCleanup Task |
frack113 |
Sigma Integrated Rule Set (GitHub) |
09bd87cd156913fd5b64ab548f700258c49833a235b205c8494f05634670d8d9 |
0 |
0 |
Bypass UAC via CMSTP |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
ae5debad574fb4590d5efc9d2e3614bb603a5670f3f9f926a42d2ecbf0de0291 |
0 |
0 |
Bypass UAC via Fodhelper.exe |
E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community |
Sigma Integrated Rule Set (GitHub) |
4793e3844bd4ee212795ee4a6bf167b869d51840732845bf0d2aa41f7481e6d7 |
0 |
0 |
Bypass UAC via WSReset.exe |
E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community |
Sigma Integrated Rule Set (GitHub) |
ced1e1a1282b5d51ede1ac7a7dcc08496c538aeeb8bc6ecc1f72af56cd773d04 |
0 |
0 |
CA Policy Removed by Non Approved Actor |
Corissa Koopmans, '@corissalea' |
Sigma Integrated Rule Set (GitHub) |
4b21e17c3224a50fbfa8db57e0c47405a95b42de6c2d13284a025f958c59cda8 |
0 |
0 |
CA Policy Updated by Non Approved Actor |
Corissa Koopmans, '@corissalea' |
Sigma Integrated Rule Set (GitHub) |
e97a3f03c9bdcda96062b2a4766cd34e555d12f3df4a36c6f2fd409dd05b29e9 |
0 |
0 |
CARROTBAT Malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
793159445715fc7a8b862f94666ae175cf0a3f6ab66c76e3af31ac86638fa859 |
0 |
0 |
CLR DLL Loaded Via Office Applications |
Antonlovesdnb |
Sigma Integrated Rule Set (GitHub) |
6362c65a14d81807ed78ab9e2fa99fbb546c067d39b3b63846c820e5c401e2e3 |
0 |
0 |
CLR DLL Loaded Via Scripting Applications |
omkar72, oscd.community |
Sigma Integrated Rule Set (GitHub) |
5c2eb7356281203a2556ea40a71892ba7a369c46d5f2fc4574a427ac968c097c |
0 |
0 |
CL_Mutexverifiers.ps1 Proxy Execution |
oscd.community, Natalia Shornikova, frack113 |
Sigma Integrated Rule Set (GitHub) |
d4793fdc170cfc0019f263c5dbc49df48f39d366293c6a9ae195061e90baf017 |
0 |
0 |
CMSTP Execution |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
65ffc0ddb80d953bb500276c61b57ba48cb45df5128bb8264ab47e7f48b2c9ec |
0 |
0 |
CMSTP Execution |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
ba18b1afcbf41aa13fd2cd7dc8e323b09854c6f046b4a98d07c2ea5d751d7584 |
0 |
0 |
CMSTP Execution |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
fcd2fd95fad355c5e2d783abef0cb21f5fcc96e6ed5e0637f465bb7e75cf9342 |
0 |
0 |
CMSTP Execution Process Access |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
87af8c0b574ec328882da2ed6ae28880f2577cf0bbe165ae6e19d50475c6d86a |
0 |
0 |
COM DLL Loaded Via Microsoft Office Product (via sysmon) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
8f3c9743049559fb0309f2478f6d6c65e7de8ef0a27373e4c584779e3276979c |
0 |
0 |
COM Hijack via Sdclt |
Omkar Gudhate |
Sigma Integrated Rule Set (GitHub) |
ab8743ded66b586929aa13e45ceb037d6d8b0070893c7f23eb993baabe393a9d |
0 |
0 |
COMPlus_ETWEnabled Command Line Arguments |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
37c4f090dee0ead128c75a30b117563fd3376ddf2e4b622311b167c9a3b1ba18 |
0 |
0 |
COMPlus_ETWEnabled Registry Modification |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
35fa58d3974ddf4be72ca9c5273ff5dfde7de065d8b27e4baef1189a9c10014d |
0 |
0 |
COMPlus_ETWEnabled Registry Modification |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
cc1b63adcbcba57ac6edb7913c2741cb0bee32fe4301f250ee4087ba643a654f |
0 |
0 |
CVE-2010-5278 Exploitation Attempt |
Subhash Popuri (@pbssubhash) |
Sigma Integrated Rule Set (GitHub) |
d934f98bfa1d3842f51f86448d12eaa5d7ae665d51986c839307e4494210607e |
0 |
0 |
CVE-2020-0688 Exchange Exploitation via Web Log |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
00d02232ebab9d4ccdb763022a32fda3d58da65c29159ed6992ba07072196b09 |
0 |
0 |
CVE-2020-0688 Exploitation Attempt |
NVISO |
Sigma Integrated Rule Set (GitHub) |
5bbc9c67b6f5cb0d9b567b095ac079935288aace38c952feeefe24cca8db2fbf |
0 |
0 |
CVE-2020-0688 Exploitation via Eventlog |
Florian Roth, wagga |
Sigma Integrated Rule Set (GitHub) |
b8583b9acaa360ecfe76d00ff9d352cbdf6d3107d975a243b3ffb45ea03c67e9 |
0 |
0 |
CVE-2020-10148 SolarWinds Orion API Auth Bypass |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
b8a891b94f9eaba11d1c04c2500b004dcd5a7de6f8e0722ef3d08f910741c37e |
0 |
0 |
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via DNS) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
332d13dcb0a4e1a6c422484f6927e7408031f7270166ea37cf7f557c68ec5efa |
0 |
0 |
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via DNS) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
5cf068578d60f0e62a85062e3f528e2e675df78e1d1b2324b93218b97404a4bd |
0 |
0 |
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
241626240096e85dd40e071e886b505b28444c8f3af6df03ef5c13b9d9776cda |
0 |
0 |
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
bd554d600bee5054372f731217934ed318c54147855183a261c54405ef43c54a |
0 |
0 |
CVE-2020-5902 F5 BIG-IP Exploitation Attempt |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
28e45cf616425b3c243efdcab379f55c65b9c0717203ffc48f3c3f124c310ff5 |
0 |
0 |
CVE-2021-1675 Print Spooler Exploitation |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
d7d444c9a70f46cddde00a1fd7df0120fbe71489ab597d307121ebaa8d8fabf6 |
0 |
0 |
CVE-2021-1675 Print Spooler Exploitation Filename Pattern |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
873bf5dd3d347e031a1a45c3c7da75768415ed8da25fe6136b24881f29b6ba3b |
0 |
0 |
CVE-2021-1675 Print Spooler Exploitation IPC Access |
INIT_6 |
Sigma Integrated Rule Set (GitHub) |
f011655155a4809262d5b5b289c20c070c7a7dec29d95846c91f3e39396d8bcc |
0 |
0 |
CVE-2021-21972 VSphere Exploitation |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
2215493140650ea52f95acdf1c79355498c6a798bd8ab94a6943d450e765fd0c |
0 |
0 |
CVE-2021-21978 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
82d6ddf5b00dd27b2c72d0ff170f126fdfad3155a287a936bd9d6075a8f8d944 |
0 |
0 |
CVE-2021-26858 Exchange Exploitation |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
bea74b1863b1262ffbfa6ffd29da720d86bdcd7ad6ea4a27a2da1c563fcb5093 |
0 |
0 |
CVE-2021-3156 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
236292ff7ca8a69ab14291cb8d62c04d3b02986279a40bf5a30c9345804f78bc |
0 |
0 |
CVE-2021-3156 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
5d4f849169f7cbe8f891d2622b175e4a42e41f434ea0540e841504b3b7de6e41 |
0 |
0 |
CVE-2021-3156 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
908809e40074898d7b460586768c977b2a700582c38d0355eb3f7e823d8d2c59 |
0 |
0 |
CVE-2021-3156 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
ab3709539b01cbfabb623bf86f278fcfc6c5bb5e735e7b13392f184bd6bfbfc6 |
0 |
0 |
CVE-2021-3156 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
daa2b8c9a016f7a9553030afbe735cc198ea85e381594ee1f438d0c54496b152 |
0 |
0 |
CVE-2021-31979 CVE-2021-33771 Exploits |
Sittikorn S, frack113 |
Sigma Integrated Rule Set (GitHub) |
3fc8cf89558a3ec50308aea72b7745ae0f219f9882cda378f1cbf0487a7a3e32 |
0 |
0 |
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
70390bef07d59937cec0216e008ce815799b4c22a5e260a684ed6bfac4fdcd1c |
0 |
0 |
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
9c20b726dcc3e2be564bb8c45c1c3372d7051d5cf3ff87aa65115c110cb62f4b |
0 |
0 |
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
a5aa00b412cd8e83e52f741ce80dafabe03f640d00ccf9f43a9c610344a8627c |
0 |
0 |
CVE-2021-33766 Exchange ProxyToken Exploitation |
Florian Roth, Max Altgelt, Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
8f5525eb13728c689fc0e016fae75537d736213235bcab835284983e3ec2e37a |
0 |
0 |
CVE-2021-40444 Process Pattern |
@neonprimetime, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
f438a85d4d0729d23171fa1823ccdb8541fc46f2e71ea2827ad42bc7f373a360 |
0 |
0 |
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit |
Sittikorn S, Nuttakorn Tungpoonsup |
Sigma Integrated Rule Set (GitHub) |
0c9b01c970160550c39d032237474fe010d45a8b283b53084a214bb65abf5fae |
0 |
0 |
CVE-2021-41773 Exploitation Attempt |
daffainfo, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
785c77adf74a5ac52d0c7c196fb79ad631311bdc96913b8d2e2b6f6486c36578 |
0 |
0 |
CVE-2021-44077 POC Default Dropped File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3ad3f26b92d2442c828898d8d576b108116639952e23e140655f058b6a03601b |
0 |
0 |
CVE-2022-24527 Microsoft Connected Cache LPE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
39809f574bd56b1dea5fc43fa0766a4e242b3f02d25f4cc138a9d34f850e3927 |
0 |
0 |
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1cf59ae9ff5a081bc97dec79c05c8f01b9f6ba7f71e907200e83ab7d5eec3e0e |
0 |
0 |
CVE-2022-31659 VMware Workspace ONE Access RCE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bfae7dd5de2cc1be11a85762c9a4e9dcc75b72cc64c865a8c1aa30886b53cb3f |
0 |
0 |
CVE-2023-23397 Exploitation Attempt |
Robert Lee @quantum_cookie |
Sigma Integrated Rule Set (GitHub) |
d03d6ef87c35d045be74c0b4e83fdf1d82094e9e8e7dc4dd0b3a991e1183c794 |
0 |
0 |
Capabilities Discovery - Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c7d7a76816d1701b70058175cd64c9141dd713d3f50d5f0d656227b1e6b3b530 |
0 |
0 |
Capture Credentials with Rpcping.exe |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
15be2ea21971f32bb037bc7f681259a4f9e1989cf78ab9a1dd5f8efe68cfcdbb |
0 |
0 |
Capture a Network Trace with netsh.exe |
Kutepov Anton, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ed43493e84bcb41bf4a6e8d03279fa79baffdfa16300655622641d8b9754d344 |
0 |
0 |
Cerber Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
064b8f335c5dad53244cfd14a7c51a8fd536dc8c86741bd6699e06ffdc7563a1 |
0 |
0 |
Cerber Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
509dbbd043383b28efe214cbd5f61869746cda8dd2069a844d35af2ad5c12e71 |
0 |
0 |
Certificate Exported From Local Certificate Store |
Zach Mathis |
Sigma Integrated Rule Set (GitHub) |
8c89cbee7e29ba90d3d255c084d1cd2d894d8554bc8c6a0e23f848fa0cedcc1e |
0 |
0 |
Certificate Exported Via PowerShell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5d6cbfca798cb6cc7bd8029cf8dda1f2096f0f7f9a422bdde483cdc370a4ab12 |
0 |
0 |
Certificate Private Key Acquired |
Zach Mathis |
Sigma Integrated Rule Set (GitHub) |
beec2af2d4d83b34085ae8f8046960cbe62957a2b2161262398ec726f4582d69 |
0 |
0 |
Certificate Request Export to Exchange Webserver |
Max Altgelt |
Sigma Integrated Rule Set (GitHub) |
9ec2157972ed064f3fd9dc25d8dd71195ab84c7747a3c17923cb09230442d76b |
0 |
0 |
Certutil Encode |
Florian Roth, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1b6510b58b9f16b947f9e665c0a3f3902f2d51f54d01596eb9545d8fd6631aa1 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
01364fb1c5ccb780456530afa742fccc7c5de42d1cbac829fd6f4c435888f499 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
173b1203b0d58ac13e3b93542a1017cf3769eb4ba1be56bb4bc926e53578dc74 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1d13c62f756a81c5138fc3c57236cc1ec96910a5b90687e628170734dae53640 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1f40062e963356a7f04535a0f3fb4eec269440ca226f367f7b8bab940022cac4 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
353ed25aa9f2dfe8e0a56f2a3321d579ce4e7e8d20563769e0f02ff01ac06c3a |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4207cea59e80ca7ec1b55f3bd2cfae0e47398daf8485c73feabf38a1484ac532 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
5a93f630933a2040c4795df341b70fd08f3b7f1730c331cb6e025d13fe3d7d30 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6d4dbcdef02bddd827d8a0739ad5f31dc3844674ae32cf4be9de19c3e4202940 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b1eb7ac5e07136335fc21860603d89c40eb6488824477f00827b6749b15c1217 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fed33455c8438e9a672de5f0fc2f48651ff0449b0427f5747e2b98db25e3088f |
0 |
0 |
Chafer Malware URL Pattern |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
cadeba64d91814a5bec0863ecd58722639024a5eb3b5f8e1059bf7ac84765c9f |
0 |
0 |
Change Default File Association |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6143134666e4626abac4d906c673c60d7fdb48a48b44f2817af790432cae836f |
0 |
0 |
Change User Account Associated with the FAX Service |
frack113 |
Sigma Integrated Rule Set (GitHub) |
26eb124f6709979c69bbb0025f3a401c81cde2ba2f83098c32504f896490fc2d |
0 |
0 |
Change the Fax Dll |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1cd0c62ae8a59243c600f2ecbb1c6b3e7b207c19dfdbc91defb8557cdfecef34 |
0 |
0 |
Change to Authentication Method |
AlertIQ |
Sigma Integrated Rule Set (GitHub) |
b48b8735d4b0c36f6b4415f9561a541fe792f70783e40570d3558a3bdb50c550 |
0 |
0 |
Changes To PIM Settings |
Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
94959dff01cdd28a250a85a42bf6d1f929fcad2d6921cf8ec73ad94b5f982fca |
0 |
0 |
Changes to Device Registration Policy |
Michael Epping, '@mepples21' |
Sigma Integrated Rule Set (GitHub) |
c58894734cae6401122b9f113877703c228c29a8fa3e4e32c1441c985c927215 |
0 |
0 |
Chmod Suspicious Directory |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
859cf7876f0c68da27f3e292a5e428393e9a8004af0c330fae9787dac43b7bfe |
0 |
0 |
Chopper Webshell Process Pattern |
Florian Roth (Nextron Systems), MSTI (query) |
Sigma Integrated Rule Set (GitHub) |
f3eb453b2f9a52250e3b43746736f8c9e0f1cfe7cf56756a7301cc6d67045bd6 |
0 |
0 |
Chthonic Banking Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
5915609df8f0f33be9c7c82797ba777d92dff34c96c4483d76ea06e3a514454e |
0 |
0 |
Chthonic Banking Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b4b70fd58934de4a756c315437db626d32720d43be443f75f71a2eb971673f69 |
0 |
0 |
Chthonic Banking Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bb3d22a048ab0177787e51d23515065a6af77e3dad57b621b06f01af9fa36675 |
0 |
0 |
Cisco ASA FTD Exploit CVE-2020-3452 |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
58180314ba9a1b6fc6135d8a5452d7ec429cce39bb8a0ee05e19b8cf2240315e |
0 |
0 |
Cisco BGP Authentication Failures |
Tim Brown |
Sigma Integrated Rule Set (GitHub) |
c1c6460f01da4621d940943b027bb03ad82d2e169061a67ae8d8c857e5053d58 |
0 |
0 |
Cisco Clear Logs |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
f2d0601cc4bc2b37896ef81bb36379f95f6d6da0f54e5d298d76af6e9e34dfc6 |
0 |
0 |
Cisco Collect Data |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
2c692110983c838f0baff38e18c9350ae3def6ff7afca5af55221519eed38387 |
0 |
0 |
Cisco Crypto Commands |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
c3f4d338f538ec307b874891bf2dbd5f3ab916918bdca04a2ed53da9cb5ba3d5 |
0 |
0 |
Cisco Denial of Service |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
c9b1080d16e9e0175fdcbb202f1842cefd864c57eaa6a64ff1c1b4d6a5e71ae4 |
0 |
0 |
Cisco Disabling Logging |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
caab8d24d82768943d8a9bc5bc8ec1de7d099ef18de8846a7a84c7a0c123ae9e |
0 |
0 |
Cisco Discovery |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
922dd1761e6de8935b8deddf2c702455c9687e7ce9135ddc502be597a434ebf1 |
0 |
0 |
Cisco File Deletion |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
a81d06d9e233156764ebf91e560a8a01fdf1b044beeaaa400b065b5be267cbb0 |
0 |
0 |
Cisco LDP Authentication Failures |
Tim Brown |
Sigma Integrated Rule Set (GitHub) |
e25b710f3b1915a497274ca420eccf7ce816686420806bebb413fd621f516a4b |
0 |
0 |
Cisco Local Accounts |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
066ace76e41c5e84ccb56804255ccf2d9c27332fc287e77151b9a6bd70f1d723 |
0 |
0 |
Cisco Modify Configuration |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
e1d658a7e96d34fae9c9489f15cc7e66d2d932e0902ae1d9b63e49f69008a557 |
0 |
0 |
Cisco Show Commands Input |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
52e2f120bc6f6a2fdea0d88c7334e68be41c50e02ac50ad9447e3b97ccc8e8c8 |
0 |
0 |
Cisco Sniffing |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
8acea30044d76f3304a28112da3f66be2f2b9d450a7cdd1784f9c45ad56191de |
0 |
0 |
Cisco Stage Data |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
3ba27fda76b2e27f70c6f07a668f4d28b5903a7813afffa184749aeb9b961725 |
0 |
0 |
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
afd8157e130ac5b1e85a83666d958d63adfa7ab570ebfbdcabdc1b7034b9f9c1 |
0 |
0 |
Citrix Netscaler Attack CVE-2019-19781 |
Arnim Rupp, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
98e0f69c0d080f1ab9346e1ebed9222049669b100a11bbaa8b110d9d96ad8828 |
0 |
0 |
Clear Command History |
Patrick Bareiss |
Sigma Integrated Rule Set (GitHub) |
c5903ffafd80f3200d3223dd44f4e4200331a8bfef040c23fc1812186018c6b9 |
0 |
0 |
Clear Linux Logs |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4a4b8d80ea9937a6728e92b1079891255ed26e302f37e290db84bbaffc71c386 |
0 |
0 |
Clear PowerShell History |
Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
860e5b755d1cea66957a1dad5567ffc45ea7e50f98c8c0958538a8507ec82f71 |
0 |
0 |
Clear PowerShell History |
Ilyas Ochkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
Sigma Integrated Rule Set (GitHub)-dfba4ce1-e0ea-495f-986e-97140f31af2d |
0 |
0 |
Cleartext Protocol Usage |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
1f1ab8a0a3fe05dc5f6db77a733d09949a236725db888a8fc8999542edaa9d84 |
0 |
0 |
Cleartext Protocol Usage |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
4ffd878e89c72b4ceec82aae1b81d7e86116017e259d0f026184c047ac87f080 |
0 |
0 |
Cleartext Protocol Usage |
Alexandr Yampolskyi, SOC Prime, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
550069c609adf898c0cd2425bccf7458002df9eda036de658988e3fc1c99025d |
0 |
0 |
Cleartext Protocol Usage |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
d2de6c91a552659c64031d52630045d58a65e9b7f816c23dffb75c531fe65479 |
0 |
0 |
Cleartext Protocol Usage Via Netflow |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
5a34aa084745df161fe9743db142a1c40cb5ee3886200a67d6ad228a51483a8a |
0 |
0 |
Clipboard Collection of Image Data with Xclip Tool |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
bba5d6f743a4d29df17318bea6702db4ec9ccad741bcfd230545482d2f75c48b |
0 |
0 |
Clipboard Collection with Xclip Tool |
Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
05e02a479959ef4e06411f4b132dbfbf2eff4ab9239d4732bc6b92c1762decc4 |
0 |
0 |
Clipboard Collection with Xclip Tool |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
5750f0c9e7a5b3d955a1de73bac6ad176f1d221bbe3b3a3c29db1eba3f280619 |
0 |
0 |
Clipboard Data Collection Via OSAScript |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
9456883e215175e623eb73fc5dbb97051dd3a45173a64f1b6fdd7f0fe53870f2 |
0 |
0 |
Cloudflared Tunnel Connections Cleanup |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
48787c99cfb6d0430c601a44d4594a6eafff633bca387f3be21825df6a8869d1 |
0 |
0 |
Cloudflared Tunnel Execution |
Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
143bb177d88746ae7cb80c574d4992f4ffef743521dc06124cbc5cfe61ff6a66 |
0 |
0 |
Cmd.exe CommandLine Path Traversal |
xknow @xknow_infosec |
Sigma Integrated Rule Set (GitHub) |
66a17168752e700a1b57242bfc6b9a345959b5142a99316865e1d44df709c32f |
0 |
0 |
Cobalt Strike DNS Beaconing |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
ae9cf008e7075ab1e5658ff0f1449d564314bf06bb13fc381dda84df5e63e523 |
0 |
0 |
CobaltStrike BOF Injection Pattern |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
e1f2db3ffec989759e5467440cde906de0dd4aa563b137379e91daed32103267 |
0 |
0 |
CobaltStrike Load by Rundll32 |
Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
a92c2c006c3ed7f60668afcb77342db1049d166af7ab991eb0d6cd8c3e2b2a59 |
0 |
0 |
CobaltStrike Malformed UAs in Malleable Profiles |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
e4c423de550bfad9e2962081acef2175c6383ee5809f156deedc218690445bcc |
0 |
0 |
CobaltStrike Malleable (OCSP) Profile |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
acdef10f5ebf1c2a007b873f8340f11064f333ffafafbe6d5458758dfafd1a60 |
0 |
0 |
CobaltStrike Malleable Amazon Browsing Traffic Profile |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
4c8dcd1969f5864da6d00d316324cc9c07906eb46dcd52cb5ef77dec09e5f886 |
0 |
0 |
CobaltStrike Malleable OneDrive Browsing Traffic Profile |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
e3debddaebc6a6805b6ecd204901a61dc7771baba667b06ae7259af94cbd15da |
0 |
0 |
CobaltStrike Named Pipe |
Florian Roth, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
acc7e9be68d0e1ad85dc9aafc935bc08834e6cc9a7cc48742991e53d197a46af |
0 |
0 |
CobaltStrike Named Pipe Pattern Regex |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
337224175c49faeb48d475b30549b027ea2f3c467baf9b22a069f35aebe5bd66 |
0 |
0 |
CobaltStrike Named Pipe Patterns |
Florian Roth, Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
905fc9490af8169f526089d670a3608b44417c93f5ab5a80be4f4e507ea02668 |
0 |
0 |
CobaltStrike Service Installations |
Florian Roth, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
07ed77ae45c45cd6dbde58702a9401f505bb4cd22daf19d09993a5c55b05ec21 |
0 |
0 |
CobaltStrike Service Installations |
Florian Roth, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
1528f16fe86df1015680377eab269f8383ca863cc09a040605bbd624ab36512e |
0 |
0 |
CobaltStrike Service Installations |
Florian Roth, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
52fb124d4388460bedaa284c35492d9da80a1d697d6610dcdcfa5dc688ad118b |
0 |
0 |
CobaltStrike Service Installations |
Florian Roth, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
bd6e98a1ffa061e8610929a967d533a5f85adf437c7f2694f4b79edcf04c254f |
0 |
0 |
CobaltStrike Service Installations |
Florian Roth, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
d47c2221db7aa13e5c3645ca6ec5b315a643a4b9f5a9e50af5bece9e79885196 |
0 |
0 |
Code Executed Via Office Add-in XLL File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
166571671ff0b50e7d6b641f7490790a2762897cb0cbbe9e2d489edb3d71010e |
0 |
0 |
Code Execution via Pcwutl.dll |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d893a429c2ce543e3a265b3794e1845676e899c8dab1ac888aca5607d9821ae7 |
0 |
0 |
Code Injection by ld.so Preload |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
ef655b20c81f4dddb081e2c7fe6c60ee0ea86d7e37cdf55fe02cd0c8586de4d1 |
0 |
0 |
Code Integrity Blocked Driver Load |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e6e7ace9263c4389270ed38b7e0c29fbdc243a863684b3c39cbef17bd49812a1 |
0 |
0 |
Commands to Clear or Remove the Syslog |
Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
82fe97976c538cbc804bd324c0c8e95c4df77ed62a637f5e1d33dd2d9c9b416d |
0 |
0 |
Commands to Clear or Remove the Syslog |
Max Altgelt |
Sigma Integrated Rule Set (GitHub) |
9a49b4476704bd301f2c0b13c87316f7e92aef899ef21b8e3f6db3c943390df6 |
0 |
0 |
Common Port with Unusual Service |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
448567e1372cc2d57c61ba1258607614de4959656f08b0c769cc4a2d4b6adf6b |
0 |
0 |
Communication To Ngrok Tunneling Service |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
66c8b63b56d52c8e957113c3f77712e8f387682164afca0cd844ddf44255d5a1 |
0 |
0 |
Communication To Ngrok Tunneling Service - Linux |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4923797d38f9e57931d4c2524c152b3df9355de308a97dccb63f2d0cfffc3461 |
0 |
0 |
Compress Data and Lock With Password for Exfiltration With WINZIP |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b6ab11c7f95ec7eeb0c511d3c26533628fe403bbf4d5d8e13ba54958aa6899da |
0 |
0 |
Computer Discovery And Export Via Get-ADComputer Cmdlet |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ba0dcf90e36e7408825fbc2ef8c0738174fd31ac01bdf199a594035504753788 |
0 |
0 |
Computer Password Change Via Ksetup.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1b69c2b97209ab8f9dd58e3300058e91e7473df6ba78a0ad001451070d2f29b9 |
0 |
0 |
Confluence Exploitation CVE-2019-3398 |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
51b242528b12df33e19aef0d9c491da0899ee0c15706bd24fa1d8bbfdd0c0e20 |
0 |
0 |
Connection Proxy |
Ömer Günal |
Sigma Integrated Rule Set (GitHub) |
70f387e708b9ab503041091a0b074a7d2aa84dea74f61b398fa6fc3f154dacaf |
0 |
0 |
Container Image was Uploaded via Unusual Client. |
Brandon Hart |
SOC Prime Threat Detection Marketplace |
0b491699d6ca77a7ec742e9676c80395862b7093ff6ffbfb2aa1d4d22e32f84e |
0 |
0 |
Conti Backup Database |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a8204898cf8fc5736e342a77657426a9af40b6b573152d2d6e852a3112dead6d |
0 |
0 |
Conti NTDS Exfiltration Command |
Max Altgelt, Tobias Michalski |
Sigma Integrated Rule Set (GitHub) |
0b3dd39a21682b0ad57453e8c2da509ea751696a9ed99cae7fb6658a7c77adde |
0 |
0 |
Conti Ransomware Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c41fdd8a72030a4b0b96e025a1f36e7970262ad1e17a4ad2a29f643cb2033927 |
0 |
0 |
Conti Volume Shadow Listing |
Max Altgelt, Tobias Michalski |
Sigma Integrated Rule Set (GitHub) |
08ef6e8b498eef96cef9154fc59c951d935c3fc9b707146c4eca4567eaa5db9f |
0 |
0 |
Control Panel Items |
Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) |
Sigma Integrated Rule Set (GitHub) |
2f683c72a6ae438b4161918b9e82bb9c7e09f701f65f85be9231ced52084f219 |
0 |
0 |
Copperhedge Malware (Hidden Cobra) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
aa72a19331c2c067f40e6e48ff853baac0a3d4a25566bc66809995fc42cf7cd8 |
0 |
0 |
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a292fe3208d4e527b02e65976d44d0f6cfe4c3966558ae97f2b6ab6403ffdb94 |
0 |
0 |
Copy Passwd Or Shadow From TMP Path |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
8ded73daf32e44d8446fc45b91e962b9508d911e85c06d0481f7c4321eba41fd |
0 |
0 |
Copy from Admin Share |
Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
253df726683ee378cff180cb32526ec9f10b897edda084113b11cbeba118fbe3 |
0 |
0 |
Copying Sensitive Files with Credential Data |
Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
8712e0baf2cbfba40ac1ad1854da93829b0f78d6eba117de03912aa985d46a79 |
0 |
0 |
Correct Execution of Nltest.exe |
Arun Chauhan |
Sigma Integrated Rule Set (GitHub) |
f2418d4c95e6ea8c75c68ad4358af3fc47e78b7630289f9d13fe04dc688a039b |
0 |
0 |
Covenant Launcher Indicators |
Florian Roth, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2957c0808592ab632134afd63650be8c47697a8350bb5cb19a8272b9da595777 |
0 |
0 |
CrackMapExec Command Line Flags |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
3b089e7f895f7da0d05f361a5815b3fb843bf243e11174993b9d167b40cdd5ba |
0 |
0 |
CrackMapExec File Creation Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
025208b5b73f1640ce17844eb62f40d4ee3a9bf72b84c9cf66b9777b72e2ed33 |
0 |
0 |
CrackMapExec PowerShell Obfuscation |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
c5f36e07dfb01984d08d19db1fe7f194936f079b371ab900d58eff493b972744 |
0 |
0 |
CrackMapExecWin |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
4937cb1804ae450d1760b136159503b4a353a27a37e6b66253c12834ae1fa611 |
0 |
0 |
CreateDump Process Dump |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
687da476fe7fa5f062fed8f4a4daf9774c0ac4734d817bf428d2c8de23a0b15f |
0 |
0 |
CreateMiniDump Hacktool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9ba3182e2ff92ecee64624cd2f1f24935f5ebeb42a5e6530cad6ea428e2941ea |
0 |
0 |
CreateMiniDump Hacktool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
b0407739067c1a391ad55a8b30a1c8109e9239a36d94cf389a4f842a53e36f73 |
0 |
0 |
CreateMiniDump Hacktool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
b66ace0358aa3fe35f98b7d2f726aab76956778883e2fd65cbc867bae21e360a |
0 |
0 |
CreateMiniDump Hacktool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
db9bea11b648e60a727a16af04702fe0746657460d47aa50814a4f7999f58cb6 |
0 |
0 |
CreateRemoteThread API and LoadLibrary |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
7b3a31059be73d0a2a66f61915b2e5a4f5a37cea4d4de5e3cc8c24f5e2a310f1 |
0 |
0 |
Creation Of A Local User Account |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
de6224d573389a0f865f0a33bd9bc3784cd12bf697150f8f8e0a9708a4e00199 |
0 |
0 |
Creation Of An User Account |
Marie Euler |
Sigma Integrated Rule Set (GitHub) |
f796279cc60013c4736e3ef7e5a140375fba8a3d78694c9d524620326ae8efcf |
0 |
0 |
Creation of a Local Hidden User Account by Registry |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
958ac16256f17b20c00b2a83f4bbad49236266d2b84e59eb2d3c29989efc96b0 |
0 |
0 |
Cred Dump Tools Dropped Files |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
45248d2871f8e9f12191effed010f35a307cc4e1eb1350ad7dd486fc07bc0bdb |
0 |
0 |
Cred Dump-Tools Named Pipes |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9eed77c2ef05fafded05e61ec71d8bdd695696543061ef8b84fca37d1606484e |
0 |
0 |
Credential Dumping Tools Accessing LSASS Memory |
Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a293708df42b2beba9f1a26e123fed278dfc67f5946ce8c995b2800c58d69e2f |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1243009f29fe311d9199398e8babee9294e8f9e57205fe6ebec6696ab0eec9e0 |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
433b594a58a12c33431c033f7e53c41d5f635df8cee206163112bfffde169958 |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9a7af0218101ae1b67047098f1cf187e06c88982ba45ad3ef1c685c27788b02d |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ad25ab512a3789c7da7d55a7b60c4d528db1206a0a4d26f3f44d945cc456cc2d |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
be637f31d674fd7f3e36ce2982a40811732c7bbd70435fdb0378ab0bcbd73618 |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
cda32da0a87ef0f9603fc5592471efd0b39082003d4bc39f06871a5dd4336130 |
0 |
0 |
Credential Dumping Tools Service Execution - System |
Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
61e2aaf48c321983d311349f6bced27944c28bcd53f96ee143d8a0a1c321a5f2 |
0 |
0 |
Credential Dumping by LaZagne |
Bhabesh Raj, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
8cca9e462f882fe58e9f320bb7380d7edbaaaab831521d9f739cca42cf64db37 |
0 |
0 |
Credential Dumping by Pypykatz |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
e7a973176dcaaa7050f1a216ca0d3075bfc12fecf2db13696af32148bd07d6bf |
0 |
0 |
Credential Manager Access |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
24966e29f8ae02e09ad40f3d903269a0ead88427f40a35139eb4d628aa926547 |
0 |
0 |
Credentials In Files |
Igor Fits, oscd.community |
Sigma Integrated Rule Set (GitHub) |
26d8c61d691959676fb6d8b0217d408f4dde823800f79771a458011d3577ffbb |
0 |
0 |
Credentials In Files |
Igor Fits, Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
bb9fce766014ab2fb22106410384571f0217fa35e9914bdc3dd86452d8d4ed64 |
0 |
0 |
Credentials from Password Stores - Keychain |
Tim Ismilyaev, oscd.community, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
0a2ce7410c4271e6c41926b4fe0f5903a05d4a02cd8dcd4a273e86065b3f46b6 |
0 |
0 |
Crontab Enumeration |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
23f3512bc30a856ca1f3906b9e52716a70df17c2083065536ac9ea6176aaf3ba |
0 |
0 |
Cross Site Scripting Strings |
Saw Win Naung, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
abfc554e6723d78308adb5dd0917e5604dac15611a98637633eae81fc3aff08f |
0 |
0 |
Cryptbot Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
06c9cbff1ed607186f04da92f2cf1648e2db7108306751e56b1e9f5123d11b60 |
0 |
0 |
Cryptbot Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b2707a69365d76d4836147eeaf9407e838f5322fcbd5f89cf86c86f1ba4239d5 |
0 |
0 |
Cryptbot Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
cdf252693ebe9b52f81229cb74ba8436f6cfdf9cc5c11f178cf9edb027c266aa |
0 |
0 |
Crypto Miner User Agent |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
ff0cfc194b0f8edd392e317c8a3d0e012351873096248a33ca36c2b71f5ab3a1 |
0 |
0 |
Curl Start Combination |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
78dc71a5599dc85b3d37a6ab0f014aa5110b2ce1b2346c8f2730e0c481977781 |
0 |
0 |
Curl Usage on Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e576f496b0ac03c619b88124a419d2c717d3f5e3f5506a17e145443091bda155 |
0 |
0 |
Custom Class Execution via Xwizard |
Ensar Şamil, @sblmsrsn, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
c0bd5b42809f6cdda07709c25bc0f42cbb0a674ce80ec8c63788ef1efd31cdc5 |
0 |
0 |
Cybergate RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e806ec700e831384b0d77c8508e1614d850eb5c7ccb89a9b745d0871c0136e5d |
0 |
0 |
DCERPC SMB Spoolss Named Pipe |
OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
9aca3bd938d644fb20cf3d83a10353ff1440153ab17579e69ed2ee17848c5d93 |
0 |
0 |
DCRat Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
35dd39a15009dacc7bdd973a9fb1484b964accb38bbcb7a63bc0b1bf73131df0 |
0 |
0 |
DCRat Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d6883f28a13f18946f9da1e0d84588bc6e01de49d97cdecbb8b3d5bc2b945880 |
0 |
0 |
DCRat Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d84b3a1cba66ed28c6c66d9a5dd807e984d42ba3b1e61ae45717b77695109095 |
0 |
0 |
DD File Overwrite |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
ae140eaae48e1659eb9013e9c7758cc3ebb59100fc5bce9ede4e8a0ca0fb76b7 |
0 |
0 |
DEWMODE Webshell Access |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9e465f124d03f3f4a5d575cc4d87bde86fda1fa3092da13a47c07f473c865bbc |
0 |
0 |
DHCP Callout DLL Installation |
Dimitrios Slamaris |
Sigma Integrated Rule Set (GitHub) |
08a22f080dbceb91fd6109159e695139744d9c12f6d94b12c35474b710aeb4ae |
0 |
0 |
DHCP Server Error Failed Loading the CallOut DLL |
Dimitrios Slamaris, @atc_project (fix) |
Sigma Integrated Rule Set (GitHub) |
11670a8f337ded0b6b72a5c41df4831c1b1da694f85e044e4afe1839d5dbc82d |
0 |
0 |
DHCP Server Loaded the CallOut DLL |
Dimitrios Slamaris |
Sigma Integrated Rule Set (GitHub) |
4928e3042535af018624a20ce17e807b66cf935200331da04e2db35a1b6cb695 |
0 |
0 |
DIT Snapshot Viewer Use |
Furkan Caliskan (@caliskanfurkan_) |
Sigma Integrated Rule Set (GitHub) |
203a47b7ef9f6721efefc8005ca1492daf475a9b03afc70af3fde9780df06253 |
0 |
0 |
DInject PowerShell Cradle CommandLine Flags |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
10bbdc113d1dc5813708dd95928a8d1a38b22ab4b85bc027daaf8ac7aae65c9b |
0 |
0 |
DLL Execution Via Register-cimprovider.exe |
Ivan Dyachkov, Yulia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dd9b6910a5e264c2b56a7a735f0cfc2cab9c341775db4a260bbadf7815d05772 |
0 |
0 |
DLL Execution via Rasautou.exe |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
18ed0db67fcc790c2b7e9ff5c111ae3691af0b9f2d52618d41d7f956ce8aa598 |
0 |
0 |
DLL Injection with Tracker.exe |
Avneet Singh @v3t0_, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b829a2f1ed89d5380f218ac5f6e134b4301319062cf792789557f30f6f903d24 |
0 |
0 |
DLL Load By System Process From Suspicious Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a341c10327c4d8c5407ea5b704ad11932a391174e37332792a2b456adf4ee9b8 |
0 |
0 |
DLL Load via LSASS |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
4dbf0d3da4d07dd172361786684269e5741eb3602ce1bf2c2c287041e8abe017 |
0 |
0 |
DLL Loaded From Suspicious Location Via Cmspt.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7fde3c5ae3c028a596ad8a76eb1a4b7ab0f64f939f847ef0f25f723659fbae8a |
0 |
0 |
DLL Loaded via CertOC.EXE |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
42f3abed5774e74cc80412cad617ceb1f8881fc484a38c351eed5b589c80dee3 |
0 |
0 |
DLL Sideloading Of ShellChromeAPI.DLL |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d07d6140d7d6a4e6a50db53310ea4d80cb48d33c95e0ced5e0570d488c2afc0b |
0 |
0 |
DLL Sideloading by VMware Xfer Utility |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
101d7b771d2663a74e9a33cf0dc8d8475af6fe5fd97cda9ecccde0e9c99325b6 |
0 |
0 |
DNS Cache Enumeration(via CIM/WMI) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
11f3c97d5bb96ad59c7eb445ca4feeab94c4ea4fbc54c6a6ff11061bab8a11b3 |
0 |
0 |
DNS Events Related To Mining Pools |
Saw Winn Naung, Azure-Sentinel, @neu5ron |
Sigma Integrated Rule Set (GitHub) |
ed013f86bfbbcd25b8e462391d437165af76f6ca7e0b33cde4fceb2ee58d3e57 |
0 |
0 |
DNS Exfiltration and Tunneling Tools Execution |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b5eeb195cf8da826ce09652556c789913808b5869a15ad6d6771d084721b65e0 |
0 |
0 |
DNS HybridConnectionManager Service Bus |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
3aadcde102c8a083c36e571f1926927d5bdeddec39fc0f3ca9c514988407c7fe |
0 |
0 |
DNS Query for Anonfiles.com Domain - DNS Client |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
12c2f09405eb6cfb663a8cb88fab690da7fc0b72826d360fa3c6714abd86b972 |
0 |
0 |
DNS Query for Ufile.io Upload Domain - DNS Client |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c79f5bc9cf7e15e6774913e56090aed7fc5e39f8a3736629ce5efd2eb94d220a |
0 |
0 |
DNS Query to External Service Interaction Domains |
Florian Roth (Nextron Systems), Matt Kelly (list of domains) |
Sigma Integrated Rule Set (GitHub) |
9cd7d0464b2ec471865497eaad8a6c4d1a73db7c60ab90f17e39cd455bb7c847 |
0 |
0 |
DNS RCE CVE-2020-1350 |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
c2b9377be93da37de7a04778f2a879e0e03b32b8aa2f1d0dd8b7c1ba72d7727b |
0 |
0 |
DNS Server Error Failed Loading the ServerLevelPluginDLL |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
a560dac7223fded812b9599d8c99d99739563099829698349739e8edeb365cc8 |
0 |
0 |
DNS ServerLevelPluginDll Install |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
5935b25ff10421da2a478f9f484858a9599e6551a17272c7a4017c6e1a55df07 |
0 |
0 |
DNS ServerLevelPluginDll Install |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
8435be4251ebdf2b4f18ae9d65faca381dc2fad4574c29cff3a962e5c9237487 |
0 |
0 |
DNS ServerLevelPluginDll Install |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
8a0b41208edc45c1f006ab6da0f12b0b819a810a16ba4179e2ef632571eafa18 |
0 |
0 |
DNS ServerLevelPluginDll Install |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
cfcbc45713ff3176a1284f986927a251f17c892931e87871325476256b26bb0c |
0 |
0 |
DNS TOR Proxies |
Saw Winn Naung , Azure-Sentinel |
Sigma Integrated Rule Set (GitHub) |
1b16378c68113f05c5cf4b51586d582401449553cf4775243b8ce459ef59ef99 |
0 |
0 |
DNS TXT Answer with Possible Execution Strings |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
8960985ab852fb33eb502577cd94683447f94e1a5299bfb607905f6a591cc78e |
0 |
0 |
DNS Tunnel Technique from MuddyWater |
@caliskanfurkan_ |
Sigma Integrated Rule Set (GitHub) |
c2860e5a2a470c1dbb00003a43f3a9f04e5180cb5c7ec9e7a5bdcdfdd86a15a9 |
0 |
0 |
DNS-over-HTTPS Enabled by Registry |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
0426d73fef7393ca82c3fbe1bedafc6d698e787d2cd679e17ae93a3b446a487f |
0 |
0 |
DNSCat2 Powershell Implementation Detection Via Process Creation |
Cian Heasley |
Sigma Integrated Rule Set (GitHub) |
b31e87788fbc1690d2371c0a80ebe27cf8c7a433c9a7f28b1a077ba534308772 |
0 |
0 |
DPAPI Domain Backup Key Extraction |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
d9a0bb3db2e444420bfe144e0ffc3f7e4dd9315a4792d088f6d79b706ac5fac0 |
0 |
0 |
DPAPI Domain Master Key Backup Attempt |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
084c47f6ea9d2126ec7b6b95e20cdf54557800f1b8394ae472f95b6162be6db1 |
0 |
0 |
Dacls RAT (Lazarus's Linux Malware) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
79cabd2716a91ac3ac201a106a3c135e584d110d8527ac138457a5b89fb2b2a6 |
0 |
0 |
DarkRAT Botnet |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
097182ab9d206700057ec3ab10e6684d34c9b3ff109901a14fb1dbd8da889d95 |
0 |
0 |
DarkRAT Botnet |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
0d8a277066bf7279215ee87bce9077e63ee0037f495593431ddbff9fa822c179 |
0 |
0 |
Data Compressed |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fb2193574c75e35df0989335aac30e2e13f3b8163caf7eef46058ae407b19e98 |
0 |
0 |
Data Compressed - rar.exe |
Timur Zinniatullin, E.M. Anhaus, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e5fedf5f2a45c0555943282d3dd05186495acc374df19f7735f92d6d648dd1bb |
0 |
0 |
Data Exfiltration to Unsanctioned Apps |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
bae0cfa813856773ccb7c9ac2654b2f064928c841cb1442d6dda554b4e346c98 |
0 |
0 |
Data Exfiltration with Wget |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
334aab46cbdf770ef0720448d240e1b67c2a759449b703fba9d425f1450d83f9 |
0 |
0 |
Decode Base64 Encoded Text |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0f307ac40cafbbdb1e262b899732195a25952ad5bb013ca8e6d280eefd45a141 |
0 |
0 |
Decode Base64 Encoded Text |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6101f5b902371808a5b407d66c189f259bec69ab6b4cf5b58a655af663843c71 |
0 |
0 |
Decode strings from lnk via findstr.exe |
Joe Security |
Joe Security Rule Set (GitHub) |
9d57b9ed7a852960b15a4d2a7fb4faa9174893a98953c9f09989faab11ed110d |
0 |
0 |
Default Cobalt Strike Certificate |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
19a7f2dd57b12f6048694290890081c7033fcf871e2c6ac4ddac91980374c15b |
0 |
0 |
Default Credentials Usage |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
65501b5c31cfa5ab80e3a4512b833f9e4bb77ef303f17fc8839abf9c1b435969 |
0 |
0 |
Default Credentials Usage. |
Alexandr Yampolskyi |
SOC Prime Threat Detection Marketplace |
3ed924bf0f9ebfc7642bd2eb1a2b925d801ff58fd267c5066fe579c55051e5cc |
0 |
0 |
Default PowerSploit and Empire Schtasks Persistence |
Markus Neis, @Karneades |
Sigma Integrated Rule Set (GitHub) |
40b130caca0f58482d7bae973cb51c3d6c7a02a91a7f448a1c19eb96333f5a10 |
0 |
0 |
Defrag Deactivation |
Florian Roth, Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
1ab376818e4cb7b7005cf46c5c118f9d09e2779f289cd7f37afc5fca8fc6e4f5 |
0 |
0 |
Defrag Deactivation |
Florian Roth, Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
462e0455aac7979a208190934de4564c8d6f5759fa73ea355f31b871967ed1eb |
0 |
0 |
Defrag Deactivation |
Florian Roth, Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
4a305b6df01e5870b2018b579218b7e7b94bcc24e0959629d5cd3812d771d39b |
0 |
0 |
Defrag Deactivation |
Florian Roth, Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
f7c48f991deaa5a1f44d21dc156d1989c5c383f971da93ecc1eaf11928860293 |
0 |
0 |
Delegated Permissions Granted For All Users |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
7e53f4cfbdfd2c5fa0247d5fe1ab4a1b36136af1830a5d80710976b3908c48dd |
0 |
0 |
Delete Log from Application |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4d5c0f83a4373919c5837ae554218d0f9f5a99734abf344ba8aa116d3f489bc2 |
0 |
0 |
Delete Volume Shadow Copies Via WMI With PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
57a9202655d8133d3a5eb0a9d51c9f5dedb6b15cfc700005f6f0d686df4f2ba2 |
0 |
0 |
Delete Volume Shadow Copies via WMI with PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7435e1880cdd78f155ad539eaf8348f3ea0d6fa1183fac382443553cac2159be |
0 |
0 |
Denied Access To Remote Desktop |
Pushkarev Dmitry |
Sigma Integrated Rule Set (GitHub) |
755295cd9d58dfbf7808166ecd446d284fa160fe7f2e2b5673aeef6cc5cb0a44 |
0 |
0 |
Deployment AppX Package Was Blocked By AppLocker |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7da40e839cf5f0d73087f8c6c4717de3ec7a13449ce8e188460f89e33b12e2ae |
0 |
0 |
Deployment Of The AppX Package Was Blocked By The Policy |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dfe6fcb13ba0be0c88ad6cf05f81ace91ae31f8bc6eccf703deaa99c200d55dd |
0 |
0 |
Detect Sql Injection By Keywords |
Saw Win Naung |
Sigma Integrated Rule Set (GitHub) |
7940d1dd84f2a311d67ac511006deeead549c05a4cadaca9908e1071a153106c |
0 |
0 |
Detected Windows Software Discovery |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
296c4235eb2d9969dd70271f37fd8708d44ea158f9a24508790c33c5b6003dae |
0 |
0 |
Detected Windows Software Discovery |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
45e686dc153cf8d6e5cf577bc67b50dc6668c51412eddb7aede600f65fd5e9f0 |
0 |
0 |
Detected Windows Software Discovery |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ddc07067e955f9f404023ebf4e274002f57acb50f1fe16fe88b6704df84b3864 |
0 |
0 |
Detecting Fake Instances Of Hxtsr.exe |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
8dd172636988b9cdc1bf44aaceb27f6009d97516c54decea0812022b61cd8d7a |
0 |
0 |
Detecting Sysmon on a Victim Host (via powershell) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
9d639e1b707b6f24ae8b637df63d5ac02aac0933b062d3477fa84d3194dc4e7b |
0 |
0 |
Detection of Possible Rotten Potato |
Teymur Kheirkhabarov |
Sigma Integrated Rule Set (GitHub) |
45c3c61e20707c18533d763c9e1c0a2f3abd229bd485f75c933da3e4ba156186 |
0 |
0 |
Detection of PowerShell Execution via DLL |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
5980c0048e6d0468659094b73e0c348afcf2c52a7842e03089c1279a023c70c9 |
0 |
0 |
Detection of PowerShell Execution via Sqlps.exe |
Agro (@agro_sev) oscd.community |
Sigma Integrated Rule Set (GitHub) |
541caef712c71465ca223d69670a2ef4826f41323f21f161bc699c23ba201602 |
0 |
0 |
Detection of SafetyKatz |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
5b2f81ece2c70e3e5e4dd770e0b9c755c90c099bf527d2b257d43e1193585d13 |
0 |
0 |
DevInit Lolbin Download |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
6c91ae4afec46136577c1773ed9b9e0de2efd87a7f856d642c840bcd7ecc1a2f |
0 |
0 |
Device Installation Blocked |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c4ef183c583634c30e2ec4b60aecf6212b479a205961b7a079cf77cf3a10498b |
0 |
0 |
Device Registration or Join Without MFA |
Michael Epping, '@mepples21' |
Sigma Integrated Rule Set (GitHub) |
a158153f262e73c2256d05133ad9d1479ec9fbd516352021e325ee5e7373be61 |
0 |
0 |
Devtoolslauncher.exe Executes Specified Binary |
Beyu Denis, oscd.community (rule), @_felamos (idea) |
Sigma Integrated Rule Set (GitHub) |
336df26c319863147659e184f6387914d5b34b55eeb4dabe819907f747016967 |
0 |
0 |
DiagTrackEoP Default Login Username |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ef6b78708541778890f149b517c7191263263f7e3d08908ab5d2e6d2b370d91b |
0 |
0 |
DiagTrackEoP Default Named Pipe |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a64d5075ca8a68f98e37b952659116501a5fca9bdfa256bec6ee04447d1726b8 |
0 |
0 |
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE |
Greg (rule) |
Sigma Integrated Rule Set (GitHub) |
59b298e2e3b915378e28421e82fd8ba5669ee9eb26f07f878bde7303b4baf016 |
0 |
0 |
Direct Syscall of NtOpenProcess |
Christian Burkard (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
e01fcd88ad6ac5ad9762f652a28d6c714dc5ccf89b89c118bdd3bb33e5cf8abd |
0 |
0 |
Disable Exploit Guard Network Protection on Windows Defender |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8c426cb2a8a98a743f8e95cb5717e867cc5d4d22fcc97255e10fac2d59176fac |
0 |
0 |
Disable Macro Runtime Scan Scope |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e448df332034272fce5d2071fe9f070084a293696a4d9f879591bcd91b12d862 |
0 |
0 |
Disable Or Stop Services |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0aefa5af3ce18645188a34cbad40ebfc008ebab07e5d5404a636792bb7023634 |
0 |
0 |
Disable Privacy Settings Experience in Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e047bdf5f28a6d7c67d53f5cae5362d16ec6a73c354de983be8efbd7d19039ff |
0 |
0 |
Disable Security Events Logging Adding Reg Key MiniNt |
Ilyas Ochkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6eaa9c84915e6b68d49ea0ea6b069124ad33f6d9666e8baf43270a57ee9e1b2a |
0 |
0 |
Disable Security Tools |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d934cd2adbdfb7c12ed5f937e36ed253d3f53495f0194507c0ea80b55f983957 |
0 |
0 |
Disable Sysmon Event Logging Via Registry |
B.Talebi |
Sigma Integrated Rule Set (GitHub) |
4bcaa5dacb5e1eb968ca726b5580829575896d88af4c640f430427376c3fffe8 |
0 |
0 |
Disable System Firewall |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
bfb6779f8bcb262174ab1cdfd6dc6c24f7ab01aa0510928dc59d51257c11e472 |
0 |
0 |
Disable Windows IIS HTTP Logging |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8e9b40932ae787a51edc9fadbb2fd842437eea7b83804b0090d7f069e2d0a5f2 |
0 |
0 |
Disable of ETW Trace - Powershell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb21aa9533b87e78511396a558c521c85a35533d4f9f44f9380e79dcee68ae56 |
0 |
0 |
Disable or Delete Windows Eventlog |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
780ed5be93f71a397b1b6c9d95912c0781c2ed9114eef8fc5aec854bf80b1f2c |
0 |
0 |
Disabled IE Security Features |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
dd832d1e805b850c68be7f120da6482e6126a8ee0860e3355d54604a2040eee7 |
0 |
0 |
Disabled MFA to Bypass Authentication Mechanisms |
@ionsor |
Sigma Integrated Rule Set (GitHub) |
53b242e959d09f957c67fcb81b740965ebe398e9ef22bb0d8ec23f5dd1add1d4 |
0 |
0 |
Disabled RestrictedAdminMode For RDS |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e448d82f06478af407e6d655ffbea46e7a876deeda7f5ab28f9de6183e6708a4 |
0 |
0 |
Disabled RestrictedAdminMode For RDS - ProcCreation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5075a0208eb230de355c4c0125a6de311c4310421450c41c6c09a979f9ce0307 |
0 |
0 |
Disabled Users Failing To Authenticate From Source Using Kerberos |
Mauricio Velazco, frack113 |
Sigma Integrated Rule Set (GitHub) |
a87dc529f00cccdafd3037358d753f5b37bdbc5d5860e077d8794985d3d93f5d |
0 |
0 |
Disabled Volume Snapshots |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
570e42eea810ffc81d8b3f1b5d284c891c1ca4a897bc6a8d5307ba5ac4feebbe |
0 |
0 |
Disabling Security Tools |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
17b8565aac7819789a47a069aa7bbdb1c69f755edcfcb766c10e1d973768a357 |
0 |
0 |
Disabling Security Tools |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
495b384015032ab9c529e649f340c35394c72a7ace8daf0aecc9b3fe7bb5f54e |
0 |
0 |
Disabling Security Tools |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7c1caf17a217864cc13be5d7320e631c61b949686fc630c72b5d143d1b4cdbbb |
0 |
0 |
Disabling Security Tools |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
df800176ac79cd510a92bccecd1ec64124d8917bd009406abd5457f353896225 |
0 |
0 |
Disabling Security Tools - Builtin |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7657d165811c7f6d4f9ff55e9ce81d8405e42f6157faed664f28bbc8fe97e560 |
0 |
0 |
Disabling Windows Event Auditing |
@neu5ron |
Sigma Integrated Rule Set (GitHub) |
d73609956e7379a0917a1fd771e4351b523579011a752df34e3ed749bf878180 |
0 |
0 |
Discord client stealer (AnarchyGrabber) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d513011ab49524e73ae98c85b1f902158f55f0412551679d5acbb03eee68c4a3 |
0 |
0 |
Discovery Using AzureHound |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
285046a386633dc2065de3a86c090ace867fc6f4d6ea14d4dcb8e3129bbe7292 |
0 |
0 |
DiskShadow and Vshadow launch detection |
Eugene Nechiporenko, SOC Prime |
SOC Prime Threat Detection Marketplace |
85495f94a180f99ee2283759ac8a387cd3df5ff6802bcebcd6fd16bd75788af7 |
0 |
0 |
Django Framework Exceptions |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
fad46f86c5fe8acee91d73cf5901cf64df547e2777230845acfe89b79cbf172a |
0 |
0 |
Dllhost Internet Connection |
bartblaze |
Sigma Integrated Rule Set (GitHub) |
0469df5507574c65082f62410c1cc9e493ba1daeff82396b38a60516c6f4187c |
0 |
0 |
Dnscat Execution |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c625578e8b4d44c52ee346e1df82116ed7e4896e4caad93d0fdb7fba487dbfdf |
0 |
0 |
Domain Trust Discovery |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
4fba485fa9f02eb8d0e28a7b84276fb6a276943a2948a62fe3d614248af840fd |
0 |
0 |
Domain Trust Discovery |
Jakob Weinzettl, oscd.community |
Sigma Integrated Rule Set (GitHub) |
50137e4985d62ff32fe9acc8ecd34bbc1e546bce28ae9d0c168c5bc0e62c2098 |
0 |
0 |
Domain User Enumeration Network Recon 01 |
Nate Guagenti (@neu5ron), Open Threat Research (OTR) |
Sigma Integrated Rule Set (GitHub) |
11a4140a5787cdd2ea81d81e4e06755144d3c4abe02a886ec68eeb79c5273223 |
0 |
0 |
Domestic Kitten FurBall Malware Pattern |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
d75f4b248c10259b1011107000396926b1a9e5cd4b0031500be48aee109855b5 |
0 |
0 |
Donotgroup APT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
431dbf8b11cf45bebac6646a5fe3c450c306b29edaf25977675ee072495216f8 |
0 |
0 |
Donotgroup APT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b3a4cba903a56c4b1c614cbde0de39dbec54a5aa5c8c8990df7f654b4a4c05ab |
0 |
0 |
Donotgroup APT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d65688b1788bfa0f9d3f71219812a68ef61b2de1f9da32a3be8f9ce57314eba0 |
0 |
0 |
Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN |
Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3fba0f206c1c867f04a34552b850e8eeb0b219621923d394bddad4789f293152 |
0 |
0 |
Download Arbitrary Files Via MSOHTMED.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
60d28276317f25fdc7fa0acce62da99237f387d5ab5624b5f0fb9a3311f144ed |
0 |
0 |
Download Arbitrary Files Via PresentationHost.exe |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ffb4d3b820e87f926948fb36dd6a790bd67e547ee318bb322626148b736139f7 |
0 |
0 |
Download EXE from Suspicious TLD |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
0182cb90eb98bcbd6b9724bdf7aa6f62ee6e327b059e24257dfd8339db0d3579 |
0 |
0 |
Download File To Potentially Suspicious Directory Via Wget |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
c14acc44b7a21724d221a1ace54effc332427d0340619e20a9dc8a66cec01ec7 |
0 |
0 |
Download from Suspicious Dyndns Hosts |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
d24da8eb78bf79c4be60dc23a68bd4ced6da6a3ad0eca8e8c2f4f43d08527e24 |
0 |
0 |
Download from Suspicious TLD |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
5ccaad9297f4a0eab603caddab274e285f600daadd324b7ff0b1664d5fa19675 |
0 |
0 |
DragonFly variant (Goodor) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
76c36e8978ca88131a604877350f6d74659dd6354870487d271706837731f68c |
0 |
0 |
DragonFly variant (Goodor) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b36ce9f509e99bf322f61b552fe1197b17812c6ec7e34429e60852ccce9b21ff |
0 |
0 |
DragonFly variant (Goodor) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f9376b94f03fe9d6f1fa80fe124bddee8d9d51ee56b3e761e3b550f5717ea1e8 |
0 |
0 |
Driver/DLL Installation Via Odbcconf.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5a904d51bdf849fcbc2359cd5f5bfe7fb4f4a689bdb4ad7295d051464f07c8a2 |
0 |
0 |
Dropping Of Password Filter DLL |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
ee1da0ec4e59bf6a30e8d78efcf41afcbe4babcee998f991aa62701b5fdb80df |
0 |
0 |
Drovorub Malware Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
00861734ad4b4865c4fd337b091aace8388feda059f681fa1a0d0a6659b55d31 |
0 |
0 |
Dump Ntds.dit To Suspicious Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ae98f10c9c3089fe4172736d9574028281ef25bce3681b6a3006bcb97ab56bd1 |
0 |
0 |
DumpStack.log Defender Evasion |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9aa94cce0b20ff88d8c54a77c049e7d80f00af8ed4def6aa7395dc01692b5394 |
0 |
0 |
Dumpert Process Dumper |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
4182b10f293111ccccca770ada467f9a23c6679818008b7436e1842cac95a691 |
0 |
0 |
Dumpert Process Dumper |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
758c2b360e853174de27738caef97d466db11778427f5db30224884512b55494 |
0 |
0 |
Dumpert Process Dumper |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9f11ecfc5795bbd9676baf8be43d9bd9f6da30f13022e7d97b279730326db7ad |
0 |
0 |
Dumping Lsass.exe Memory with MiniDumpWriteDump API |
Perez Diego (@darkquassar), oscd.community |
Sigma Integrated Rule Set (GitHub) |
c2b930e9318dce446b4b4ed018e6ade935182bf7ca1404ae47923673beafee95 |
0 |
0 |
Dumping Process via Sqldumper.exe |
Kirill Kiryanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b8953b2fd9eedf5150cb430ec88f3653045e82c553904a73f87423600b427bee |
0 |
0 |
Dumps Process Using tttracer.exe |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
1b2196c83bd73a6164882d3b22f19d200742a1d5541207b0e4b8684476e12ce2 |
0 |
0 |
Dupzom Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
38bcd0b136a2a67b8c4d5b7a13cd98cf8590d84aba9b380e944c2f8ba851554f |
0 |
0 |
Dupzom Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
68250cc49ef2301bbd3bc5104579a2f065206211acccf6978a71097bddd98d6d |
0 |
0 |
Dupzom Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b68ad5ecfba8b9b44e110368c029c99324cfa21b478209746fa0fcc441e51659 |
0 |
0 |
EDR WMI Command Execution by Office Applications |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
283d42c1fadd5e7b1d94efc708531703992e171a52b45eefe6e2eba61827fcdc |
0 |
0 |
EKANS/SNAKE Ransomware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
164ef4a9c3213fa19bce8c0def1c7e491e774e8b12b55aaf55c5cc2732b4386f |
0 |
0 |
EQNEDT32.EXE connecting to internet |
Joe Security |
Joe Security Rule Set (GitHub) |
3b421cd3a4401c0dfc3d2c5613d705669e2bdcf8d998c4e363d2e1e5cbd328d4 |
0 |
0 |
ETW Logging Disabled For SCM |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b25c9cdef72ebd81a0d1211a4769034192cd8c731778d8a88a1b327aac9b8b14 |
0 |
0 |
ETW Logging Disabled For rpcrt4.dll |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2e3038ae7bc47420e50f90cbb3decb3348aedcdda901f3ce021b9d2efa66be73 |
0 |
0 |
EVTX Created In Uncommon Location |
D3F7A5105 |
Sigma Integrated Rule Set (GitHub) |
be104b5c33d23ea5b193fa207267ec1f1058e6a2096a14b67fc5c957fdb94b85 |
0 |
0 |
Edit of .bash_profile and .bashrc |
Peter Matkovski |
Sigma Integrated Rule Set (GitHub) |
cebaa2668c1b09efe1fcc6d468abfb9aa15dbba4c6e04246ba9e9f0bf407dc65 |
0 |
0 |
EfsPotato Named Pipe |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
33bbc287fcdff32099d907d122b96db06214e7ef12bdbe38cc574df4fbcd94ff |
0 |
0 |
Elise Back |